Hack 3. Deny All Access in One Second or Less
Here's a safe way to keep out all users while doing temporary maintenance or troubleshooting. All administrators eventually need to have a machine running in full multiuser mode, with all services running, but at the same time completely deny login access to the machine. This is usually for the purpose of troubleshooting a problem, testing a new software installation, or performing maintenance or software upgrades. There are a couple of really quick ways to do this. The first method is by far the quickest. Just run the following command (as root):
This will deny access to anyone trying to log in to the machine. You'll want to be sure to keep an active login session on the machine after you create this file or make sure that root is allowed to log in on the local console or via SSH, since a root login will bypass this mechanism. You'll know it's working because the logs for some services will tell you that access was denied because of the presence of the nologin file. Others will just say "failed password." This method can be improved through the use of a nologin.txt file, where you can put some text that users will see when they try to log in. If you have a scheduled downtime, for instance, you can put the details into this file so that users will get a friendly reminder that the machine is unavailable during the downtime window. The second method works only if the services you're running are linked against libwrap, in which case you can very quickly cut off all access to the machine. To check that a service is linked against libwrap, use the ldd command on the binary for the service. For example, to make sure my SSH service is linked against libwrap, I've done the following:
The above output shows all the libraries sshd is linked against, and the path to the library file being used. Clearly, libwrap is linked here. Once you've confirmed that this is the case for the other services you're running, you're ready for the next step. Create a file called /etc/hosts.deny.ALL, which should consist of only one line:
Now, whenever you need to shut down access to the machine, you simply move your /etc/hosts.allow and hosts.deny files out of the way and move your hosts.deny.ALL file into place. Here's a command line that'll handle it nicely:
Now you're left with only a single hosts.deny file, which denies access to everything. Note that it would not help you to just move both files out of the way, because tcpwrappers treats the absence of a file just like an empty file. If there are no files, tcpwrappers acts as though you have two files that have not addressed access controls for a given service, and by default it will grant access to the service! 1.4.1. See Also
|
Thursday, October 29, 2009
Hack 3. Deny All Access in One Second or Less
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment