sh 创建一个被监禁用户并为用户设置防火墙过滤器,以便仅访问在给定端口上运行的Web应用程序。

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh 创建一个被监禁用户并为用户设置防火墙过滤器,以便仅访问在给定端口上运行的Web应用程序。相关的知识,希望对你有一定的参考价值。

#!/bin/bash

# Check the username
if [ -z $1 ] ; then
  echo "Usage: $0 <username>"
  exit 2
fi

# Validate the username is alphanumeric (hypens are allowed)
if [[ ! $1 =~ ^([A-Z]|[a-z])([a-z]|[0-9]|-){2,18}([a-z]|[0-9]){1}$ ]] ; then
  echo "Usernames should only contain alpha-numeric characters (hyphens, underscores are optional) and span between 4 and 20 characters in length"
  exit 1
fi

# Create the user and set their password
useradd $1
pword=$(pwgen -y1s 12)
echo "Inital password for $1 is $pword"
echo $1:$pword | chpasswd
space_suffix='_jail'
jailspace=$1$space_suffix

# Carve out a directory on the host for the jail
mkdir /opt/$jailspace

# Install basic tools needed in the jail
jk_init -v /opt/$jailspace ssh basicshell netbasics extendedshell jk_lsh

# Install additional files/tools
jk_cp -v -f /opt/$jailspace/ /etc/bashrc 

# Bind an existing user account to this jail
jk_jailuser -m -j /opt/$jailspace/ $1

# Setup SSH 
test -d /opt/$jailspace/home/$1/.ssh || mkdir -p /opt/$jailspace/home/$1/.ssh

# install the pub key (passed in as an argument)
if [ ! -z "$3" ] ; then
  echo "$3" >> /opt/$jailspace/home/$1/.ssh/authorized_keys
else
  touch /opt/$jailspace/home/$1/.ssh/authorized_keys
fi

# Set ownership and read/write/execute permissions
chmod 700 /opt/$jailspace/home/$1/.ssh
chmod 600 /opt/$jailspace/home/$1/.ssh/authorized_keys
chown -R $1:$1 /opt/$jailspace/home/$1/.ssh

# Change the default shell for the jailed user
sed -i s@/usr/sbin/jk_lsh@/bin/bash@g /opt/$jailspace/etc/passwd

# Get the UID for this new user so we can set the firewalld restrictions
demoUID=$(awk -F":" -v pattern=$1 ' $0 ~ pattern {print $3} ' /etc/passwd)

# Defaults to port 80
if [ $2 -gt 999 -o $2 -eq 443 ] ; then
  appPort=$2
else
  appPort=80
fi

# Setup the firewalld rules to only allow port 8080 traffic (to the VMs) for this user and deny all else
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=$appPort -m owner --uid-owner $demoUID -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m owner --uid-owner $demoUID -j DROP

# Reload the firewall
firewall-cmd --reload

exit 0

以上是关于sh 创建一个被监禁用户并为用户设置防火墙过滤器,以便仅访问在给定端口上运行的Web应用程序。的主要内容,如果未能解决你的问题,请参考以下文章

破解近 200 万部 AT&T 手机,一男子被美国判处 12 年监禁

无法用php连接到mysql

oracle用命令创建表空间用户,并为用户授权收回权限。

svnadmin 添加新用户并为其分配一个 repo

考虑到每封邮件都应用了标签,两个人如何使用同一个 Gmail 帐户并为每个用户过滤传入的电子邮件?

将用户的位置存储在数据库中并为他找到最近的用户