How to DENY SSH access for certain user on Linux
Due to some security reason, you may require to block certain user SSH access to Linux box.
Edit the sshd_config file, the location will sometimes be different depend on Linux distribution, but it’s usually in /etc/ssh/.
Open the file up while logged on as root:
vi /etc/ssh/sshd_config
Insert a line:
DenyUsers username1 username2 username3 username4
Referring to #man sshd_config:
DenyUsers
separated by spaces. Login is disallowed for user names that
match one of the patterns. â*â and â?â can be used as wildcards
in the patterns. Only user names are valid; a numerical user ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.
Save it and restart SSH services. Basically username1, username2, username3 & username4 SSH login is disallowed.
Read more
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
How To Configure Home Directories Permission on Linux
In order to change all home directory permission, I will run the following script:
for DIR in \
`awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
chmod g-w $DIR
chmod o-rwx $DIR
done
Basically the script as above will remove WRITE permission for group, remove READ, WRITE, EXECUTE for other for any user ID larger than 500 on Linux.
List the directory again and the result should be same as below:
sles9:/home # ls -lth
total 60K
drwxr-x— 7 test users 4.0K Nov 29 2008 test
drwxr-x— 7 test1 users 4.0K Nov 25 2008 test1
drwxr-x— 7 dell users 4.0K Sep 7 2008 dell
drwxr-x— 7 test2 users 4.0K Aug 18 11:52 test2
Read more
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
How To Disable ipv6 on SuSE Linux
For some strange reason, ipv6 is switched ON by default in SuSE Linux.
To check whether you are currently running ipv6, run the following command as root:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0F:1F:89:8F:D5
inet addr:192.168.1.100 Bcast:140.171.243.255 Mask:255.255.254.0
inet6 addr: fe80::20f:1fff:fe89:8fd5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33386388 errors:0 dropped:0 overruns:0 frame:0
TX packets:2947979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2211978470 (2109.5 Mb) TX bytes:380978644 (363.3 Mb)
Base address:0xdf40 Memory:feae0000-feb00000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:895 errors:0 dropped:0 overruns:0 frame:0
TX packets:895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:76527 (74.7 Kb) TX bytes:76527 (74.7 Kb)
If you have lines containing inet6 as above, then your machine IS running ipv6.
How to disbling ipv6 on SuSE Linux
To disable ipv6 completely, run the following commands as root:
# echo “alias net-pf-10 off” >> /etc/modprobe.conf.local
# echo “alias ipv6 off” >> /etc/modprobe.conf.local
Restart the machine.
Read more
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
User Permission Overwrite Group Permissin on Linux
This is a tricky question when my customer ask me why he can’t change certain on his home folder.
Said for an example:
I have a username: john with primary group finance running on one of the Linux server.
$id john
uid=1008(john) gid=1002(finance) groups=1002(finance)
$pwd
/home/john
$ls -l aug2008.txt
-r-rw-r– 1 john finance 1168 2008-08-16 11.30 aug2008.txt
The problem is here:
When a user called john login to Linux box and he tried to edit file aug2008.txt using vi or any other editor, he will getting a READ ONLY error.
Read more
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
How to Authenticate to Active Directory on SuSE Linux 9
My previous post about How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory which I believed helpful and getting a lot of traffic from Google search engine.
The following article “How to Authenticate to Active Directory on SuSE Linux 9” will focus on how to join AD domain & authentication using SLES9 SP3 running on my VM machine.
Basically the setup details are:
SLES9: 192.168.1.10
Windows 2003 Server: 192.168.1.1
Required RPM: heimdal-lib(kerberos), samba-client, samba-winbind, samba, sudo, xntp, glibc, pwdutils, openssh.
A. Time synchronization
Ensure Clock synchronization between your SLES9 and AD. Type #rcxntpd start
B. Kerberos setup
Edit /etc/krb5.conf
[libdefaults]
default_realm = AD.YOURDOMAIN.COM
clockskew = 300
[realms]
AD.YOURDOMAIN.COM = {
kdc = ad01.ad.yourdomain.com
default_domain = ad.yourdomain.com
admin_server = ad01.ad.yourdomain.com
}
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.ad.yourdomain.com = AD.YOURDOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
}
Note: Be careful here. It’s CASE SENSITIVE and please make sure you can PING each others.
C. Samba setup
Edit /etc/samba/smb.conf
[global]
winbind separator = +
winbind cache time = 10
winbind use default domain = yes
workgroup = ADYOUDOMAIN
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = AD.YOURDOMAIN.COM
security = ADS
template homedir = /home/%U
template shell = /bin/bash
password server = server.example.com
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n
Retype*new*password*%n\n*password:*all*authentication*tokens*updated*successfully
Pam password change = Yes
The example show as above is not complete. Please focus on realm and security.
Read more
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest