Linux访问权限控制及时间同步实践
1、编写脚本/root/bin/checkip.sh,每5分钟检查一次,如果发现通过ssh登录失败 次数超过10次,自动将此远程IP放入Tcp Wrapper的黑名单中予以禁止防问
方式一:脚本+定时任务
1)编写脚本
[root@test ~]#cat checkip.sh
#!/bin/bash
#
#************************************************************************
#Author: qiuhom
#QQ: 467697313
#mail: qiuhom467697313@qq.com
#Date: 2019-12-22
#FileName: checkip.sh
#URL: https://www.cnblogs.com/qiuhom-1874/
#Description:
#Copyright (C): 2019 All rights reserved
#************************************************************************ [ $UID -ne 0 ]&&echo "this script must root run it " && exit 1
if [[ ! -e "/work" ]]; then
mkdir /work
fi
cmd=`cat /var/log/secure|grep "Failed password for qiuhom"|awk '{print $(NF-3)}'|sort|uniq -c|awk '{print $2"==>"$1}'` echo "$cmd">/work/ip.txt for i in `cat /work/ip.txt`
do
ip=`echo "$i"|awk -F "==>" '{print $1}'`
count=`echo "$i"|awk -F "==>" '{print $2}'`
if [ $count -gt 10 ];then
xx=`grep $ip /etc/hosts.deny |wc -l`
if [ $xx == 0 ];then
echo "ALL:$ip" >> /etc/hosts.deny
fi
fi
done [root@test ~]#
说明:此脚本主要思想是通过日志来过滤出登录失败的用户,然后取出其ip地址,统计其ip出现的次数,如果登录失败10次,则把其ip放入/etc/hosts.deny(TCP Warpper的黑名单)中将其ip禁用。
2)指定计划任务
[root@test ~]#crontab -l
*/5 * * * * bash /root/bin/checkip.sh &> /dev/null
方式二:脚本方式,死循环加sleep 来控制执行时长周期
[root@test ~]#cat checkip.sh
#!/bin/bash
#
#************************************************************************
#Author: qiuhom
#QQ: 467697313
#mail: qiuhom467697313@qq.com
#Date: 2019-12-22
#FileName: checkip.sh
#URL: https://www.cnblogs.com/qiuhom-1874/
#Description:
#Copyright (C): 2019 All rights reserved
#************************************************************************ [ $UID -ne 0 ]&&echo "this script must root run it " && exit 1 if [[ ! -e "/work" ]]; then
mkdir /work
fi while true
do
sleep 300 cmd=`cat /var/log/secure|grep "Failed password for qiuhom"|awk '{print $(NF-3)}'|sort|uniq -c|awk '{print $2"==>"$1}'` echo "$cmd">/work/ip.txt for i in `cat /work/ip.txt`
do
ip=`echo "$i"|awk -F "==>" '{print $1}'`
count=`echo "$i"|awk -F "==>" '{print $2}'`
if [ $count -gt 10 ];then
xx=`grep $ip /etc/hosts.deny |wc -l`
if [ $xx == 0 ];then
echo "ALL:$ip" >> /etc/hosts.deny
fi
fi
done
done [root@test ~]#
2、配置magedu用户的sudo权限,允许magedu用户拥有root权限
方式一:将magedu用户加入到wheel组中,不改动其/etc/sudoers文件
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 组=1004(magedu)
[root@test ~]#
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 组=1004(magedu)
[root@test ~]#su - magedu
上一次登录:日 12月 22 13:52:50 CST 2019pts/0 上
[magedu@test ~]$cat /etc/sudoers
cat: /etc/sudoers: 权限不够
[magedu@test ~]$su -
密码:
上一次登录:日 12月 22 13:26:01 CST 2019pts/0 上
[root@test ~]#usermod -aG wheel magedu
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 组=1004(magedu),10(wheel)
[root@test ~]#su - magedu
上一次登录:日 12月 22 13:55:04 CST 2019pts/0 上
[magedu@test ~]$cat /etc/sudoers
cat: /etc/sudoers: 权限不够
[magedu@test ~]$sudo cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command. ## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem ## Command Aliases
## These are groups of related commands... ## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification #
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw #
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid # Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults always_query_group_plugin Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" #
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
qiuhom ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL ## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
[magedu@test ~]$
说明:此方式能行的原因是/etc/sudoers文件中配置了wheel组允许在其组里的成员运行所有命令
方式二:将magedu用户配置成能够代替root用户做任何事情
[magedu@test ~]$su -
密码:
上一次登录:日 12月 22 13:55:26 CST 2019pts/0 上
[root@test ~]#usermod -G magedu magedu
[root@test ~]#id magedu
uid=1004(magedu) gid=1004(magedu) 组=1004(magedu)
[root@test ~]#echo "magedu ALL=(root) ALL" >> /etc/sudoers
[root@test ~]#tail /etc/sudoers
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
magedu ALL=(root) ALL
[root@test ~]#su - magedu
上一次登录:日 12月 22 13:55:49 CST 2019pts/0 上
[magedu@test ~]$cat /etc/sudoers
cat: /etc/sudoers: 权限不够
[magedu@test ~]$sudo cat /etc/sudoers
[sudo] magedu 的密码:
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command. ## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem ## Command Aliases
## These are groups of related commands... ## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification #
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw #
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid # Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults always_query_group_plugin Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" #
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
qiuhom ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL ## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
magedu ALL=(root) ALL
[magedu@test ~]$
说明:以上方式就是把magedu用户配置成能够以root身份执行所有命令
4、配置chrony服务,实现服务器时间自动同步
1)安装chrony服务
yum install chrony -y
说明:ntp作为时间同步的服务器软件和客户端软件它都必须运行成守护进程,用ntp作为服务器软件有个缺陷就是同步时间周期很长,所以此实验是chrony作为客户端软件和服务器软件,它比ntp更加精准,其同步周期较短。
2)配置chrony.conf 允许其运行为时间服务器并允许内网网段来同步时间并启动服务
[root@test ~]#cat /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst # Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC).
rtcsync # Enable hardware timestamping on all interfaces that support it.
#hwtimestamp * # Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2 # Allow NTP client access from local network.
allow 192.168.0.0/16 # Serve time even if not synchronized to a time source.
#local stratum 10 # Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys # Specify directory for log files.
logdir /var/log/chrony # Select which information is logged.
#log measurements statistics tracking
[root@test ~]#
说明:server:时间服务器地址 ,allow后面跟允许客户端地址/子网掩码 或者直接配置成allow all 则表示允许所有客户端来同步时间
systemctl start chronyd
说明:启动chronyd服务后,此时就可以用该服务器作为时间同步服务器,我们可以用chronyc这个工具来查看当前的时间服务器上从那个服务器同步时间的;chronyd默认监听在UDP的123端口和323端口
[root@test ~]#ss -nulp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:123 *:* users:(("chronyd",pid=17074,fd=7))
UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=17074,fd=5))
UNCONN 0 0 ::1:323 :::* users:(("chronyd",pid=17074,fd=6))
[root@test ~]#
[root@test ~]#chronyc sources -v
210 Number of sources = 1 .-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* sv1.ggsrv.de 2 7 377 10 -361us[ -538us] +/- 128ms
[root@test ~]#chronyc sourcestats -v
210 Number of sources = 1
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
sv1.ggsrv.de 22 12 22m -0.040 2.784 -937ns 1441us
[root@test ~]#
说明:可以看到当前chrony作为客户端是从互联网sv1.ggsrv.de服务器上同步时间的;chronyc 是一个交互工具,它可查看时间服务器的状态以及管理实践服务器,它有很多子命令,其帮助信息可以通过chronyc help 命令查看
3)配置客户端,并指定其服务器地址为刚才我们搭建的时间服务器地址
[root@test ~]#yum info chrony
Loaded plugins: fastestmirror, security
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.7 kB 00:00
epel | 5.3 kB 00:00
epel/primary_db | 6.1 MB 00:01
extras | 3.4 kB 00:00
extras/primary_db | 29 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 7.5 MB 00:02
Available Packages
Name : chrony
Arch : x86_64
Version : 2.1.1
Release : 2.el6_8
Size : 266 k
Repo : base
Summary : An NTP client/server
URL : http://chrony.tuxfamily.org
License : GPLv2
Description : A client/server for the Network Time Protocol, this program keeps your
: computer's clock accurate. It was specially designed to support
: systems with intermittent internet connections, but it also works well
: in permanently connected environments. It can use also hardware reference
: clocks, system real-time clock or manual input as time references. [root@test ~]#yum install chrony -y
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package chrony.x86_64 0:2.1.1-2.el6_8 will be installed
--> Finished Dependency Resolution Dependencies Resolved =====================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================
Installing:
chrony x86_64 2.1.1-2.el6_8 base 266 k Transaction Summary
=====================================================================================================================
Install 1 Package(s) Total download size: 266 k
Installed size: 453 k
Downloading Packages:
chrony-2.1.1-2.el6_8.x86_64.rpm | 266 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : chrony-2.1.1-2.el6_8.x86_64 1/1
Verifying : chrony-2.1.1-2.el6_8.x86_64 1/1 Installed:
chrony.x86_64 0:2.1.1-2.el6_8 Complete!
[root@test ~]#vim /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org iburst
#server 1.rhel.pool.ntp.org iburst
#server 2.rhel.pool.ntp.org iburst
#server 3.rhel.pool.ntp.org iburst
server 192.168.0.99
# Ignore stratum in source selection.
stratumweight 0 # Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift # In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3 # Enable kernel synchronization of the real-time clock (RTC).
rtcsync # Allow NTP client access from local network.
#allow 192.168/16 # Serve time even if not synchronized to any NTP server.
#local stratum 10 # Specify file containing keys for NTP and command authentication.
keyfile /etc/chrony.keys # Specify key number for command authentication.
commandkey 1 # Generate new command key on start if missing.
generatecommandkey # Disable logging of client accesses.
noclientlog # Send message to syslog when clock adjustment is larger than 0.5 seconds.
"/etc/chrony.conf" 46L, 1272C written
[root@test ~]#
说明:客户机上也需要安装chrony软件和运行其服务,当然客户端也可以安装ntp软件包,用ntpdate 加时间服务器地址来同步时间;用ntpdate + 时间服务器地址同步时间简单粗暴,这种方式同步时间实际上是将服务器时间跳到当前时间,中间有一段空白段,强烈不建议这样同步时间。
[root@test ~]#date
Thu Dec 12 12:14:08 CST 2019
[root@test ~]#chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 192.168.0.99 3 6 17 3 -21us[-14582m] +/- 131ms
[root@test ~]#date
Sun Dec 22 15:16:15 CST 2019
[root@test ~]#date -s "20191212 12:12:00"
Thu Dec 12 12:12:00 CST 2019
[root@test ~]#date
Thu Dec 12 12:12:02 CST 2019
[root@test ~]#ntpdate 192.168.0.99
22 Dec 15:18:15 ntpdate[3911]: step time server 192.168.0.99 offset 875161.922491 sec
[root@test ~]#date
Sun Dec 22 15:18:17 CST 2019
[root@test ~]#
5、实现cobbler+pxe自动化装机
详情请参考本人博客https://www.cnblogs.com/qiuhom-1874/p/12081310.html
Linux访问权限控制及时间同步实践的更多相关文章
- IAM:亚马逊访问权限控制
IAM的策略.用户->服务器(仓库.业务体) IAM:亚马逊访问权限控制(AWS Identity and Access Management )IAM使您能够安全地控制用户对 AWS 服务和资 ...
- MongoDB 安全和访问权限控制
MongoDB的访问控制能够有效保证数据库的安全,访问控制是指绑定Application监听的IP地址,设置监听端口,使用账户和密码登录 一,访问控制的参数 1,绑定IP地址 mongod 参数:-- ...
- (转)浅析Java中的访问权限控制
原文地址: http://www.cnblogs.com/dolphin0520/p/3734915.html 今天我们来一起了解一下Java语言中的访问权限控制.在讨论访问权限控制之前,先来讨论一下 ...
- 使用nginx和iptables做访问权限控制(IP和MAC)
之前配置的服务器,相当于对整个内网都是公开的 而且,除了可以通过80端口的nginx来间接访问各项服务,也可以绕过nginx,直接ip地址加端口访问对应服务 这是不对的啊,所以我们要做一些限制 因为只 ...
- [THINKING IN JAVA]访问权限控制
6 访问权限控制 6.1 包:库单元 package.import.import *.import static: 修改classpath环境变量可以将自己写的类库添加至环境变量并在任何java程序中 ...
- Java成员的访问权限控制
Java中的访问权限控制包含两个部分: 类的访问权限控制 类成员的访问权限控制 对类来说,访问权限控制修饰符可以是public或者无修饰符(默认的包访问权限): 对于类成员来说,访问权限控制修饰符可以 ...
- 浅析Java中的访问权限控制
浅析Java中的访问权限控制 今天我们来一起了解一下Java语言中的访问权限控制.在讨论访问权限控制之前,先来讨论一下为何需要访问权限控制.考虑两个场景: 场景1:工程师A编写了一个类ClassA,但 ...
- redis密码设置、访问权限控制等安全设置
redis作为一个高速数据库,在互联网上,必须有对应的安全机制来进行保护,方法有2,如下. 1.比较安全的办法是采用绑定IP的方式来进行控制. 请在redis.conf文件找到如下配置 # If y ...
- JAVA访问权限控制[zhuan]
Java的访问权限控制修饰符,从最大权限到最小权限依次是:public.protected.包访问权限(默认,没有关键字)和private.对于类的访问权限只能是:public和包访问权限(但内部类可 ...
随机推荐
- Spring Boot 入门(十):集成Redis哨兵模式,实现Mybatis二级缓存
本片文章续<Spring Boot 入门(九):集成Quartz定时任务>.本文主要基于redis实现了mybatis二级缓存.较redis缓存,mybaits自带缓存存在缺点(自行谷歌) ...
- FJUT-1370 记录一次解题过程
题目在福工院的1370 首先看题目,好家伙,全英文 那么大致的题意就是.有几个城市同在一条线上(相当于在x轴上),max i是第i个城市到其他所有城市的距离中的最大值,min i也就是所有中最小的. ...
- GB国标编码的程序出现乱码
- nacos-docker安装nacos并配置数据库
拉取nacos/nacos-server镜像 docker pull nacos/nacos-server 配置数据库(MySQL) 创建存储nacos配置的数据库 create database n ...
- 搭建自己的Online Judge
前言 很多人对于做题有点厌烦,但是,如果让你出题给别人做那么可能会很有意思.可是,出题只能出在一些别人的OJ上,甚至只能在自己的Word文档里出.今天我教大家一个厉害点的,叫做搭建自己的Online ...
- C# HttpWebRequest传递参数多种方式混合使用
在做CS调用第三方接口的时候遇到了这样的一个问题,通过PSOTman调试需要分别在parmas.Headers.Body里面同时传递参数.在网上查询了很多资料,以此来记录一下开发脱坑历程. POSTm ...
- http GET 和 POST 请求的优缺点和误区 --前端优化
Get和Post在面试中一般都会问到,一般的区别:(1)post更安全(不会作为url的一部分,不会被缓存.保存在服务器日志.以及浏览器浏览记录中)(2)post发送的数据更大(get有url长度限制 ...
- 1z0-062 题库解析6
You want execution of large database operations to suspend, and then resume, in the event of space a ...
- 大厂面试中三次握手延伸出来n连发你受得了?
目录 一.这是一次有故事的对话 二.三次握手的客户端服务端状态 1 先画个图看看有哪些状态 2 tcp协议内容解析 3 通过工具wireshark来验证我们所述 三.说下Linux网络编程常用API ...
- .net core 不是开源的么 作为菜 不能贡献源码 只有 欣赏额
step one 去download一份 与前辈在一起