Shell script to read user id from a file and create account
Step 1 : create a user.txt file and update user id in it.
[pocserver01]:/admin/scripts/util>cat users.txt
ram.dh
robert.kj
user3
user4
user5
user100
[pocserver01]:/admin/scripts/util>
Step 2: Create a script ( createUser.sh ) to read users from this txt file ( users.txt )
#!/bin/bash
for i in $( cat users.txt ); do
useradd -g 100 $i
echo "user $i added successfully!"
echo $i:$i"123" | chpasswd
echo "Password for user $i changed successfully"
id $i
passwd --expire $i
done
This script creates unix/linux user and set a default password ( Example : userID123) for the users and force user to change the default password after first login.
Please keep createUsers.sh and users.txt under same directory.
Change file and Directories permission
As an middleware admin, its a common request from developers or from other teams to provide them read access on non-prod servers to check application or servers log for debugging some of the application associated issues.
Its absolutely fine to provde them read access to only required file systems.
You can execute below mentioned commands on your prod/non-prod servers ( change its accordint to your requirements ):
##Step 1 : Provide read access to all directories under /ibm . You can add or customize it according to your need##
find /ibm/ -type d -exec chmod -c 0755 {} \;
## Step 2 : Restrict all those directories, which you do not want to expose to others ##
find /ibm/Websphere/AppServer/bin/ -type d -exec chmod -c 0700 {} \;
find /ibm/Websphere/AppServer/profiles/ -type d -exec chmod -c 0700 {} \;
# List all the file systems that you want to restrict for users )
;## Step 3 : Step 3 : In above two steps , firstly we provided access to users to go to any directory under /ibm and secondly , we restrict their access for selected directories. Now we will restrict access to open ( I mean read ) any file under /ibm and then we will provide read access to only selected files
find /ibm -type f -exec chmod -c 0750 {} \;
### Step 4 : Provide Just Read permission to files listed in below directories ##
find /ibm/WebSphere/AppServer/profiles/*/logs/* -type f -exec chmod -c 0755 {} \;
Script to force users to change password after every 30 days.
#!/bin/bash
for i in $( cat users.txt );
do
passwd --expire $i
done
Set a cron job to run this script on every 30 days.
PORT Management in Linux
Opening a Port on Linux
- Check if the port is being used or not (testing port 3000 in this example):
bash$ netstat -na | grep 3000
- If the port is in use, then most likely it will be the software firewall blocking you. You can check by running:
bash$ sudo /sbin/iptables -L
- Check for the port. If it isn’t listed, you will need to add it:
bash$ sudo vi /etc/sysconfig/iptables
- Copy one of the other lines that is allowing a connection to (–dport) a port, and edit to allow access to your new port.
- Save the file
- Restart iptables:
bash$ sudo /sbin/service iptables restart
Example /etc/sysconfig/iptables (for RedHat)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
he default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user-friendly way to create an IPv4 or IPv6 host-based firewall. ufw by default is initially disabled. From the ufw man page: “ ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls. ” The following are some examples of how to use ufw:
If the port you want to open or close is defined in /etc/services, you can use the port name instead of the number. In the above examples, replace 22 with ssh. This is a quick introduction to using ufw. Please refer to the ufw man page for more information. ufw Application IntegrationApplications that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d, and can be edited if the default ports have been changed.
Not all applications that require opening a network port come with ufw profiles, but if you have profiled an application and want the file to be included with the package, please file a bug against the package in Launchpad. ubuntu-bug nameofpackage
IP MasqueradingThe purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking(conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing. ufw MasqueradingIP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related. The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufwcommand line rules.
IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain. iptables Masqueradingiptables can also be used to enable Masquerading.
LogsFirewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT). If you are using ufw, you can turn on logging by entering the following in a terminal: sudo ufw logging on
To turn logging off in ufw, simply replace on with off in the above command. If using iptables instead of ufw, enter: sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 \ -j LOG --log-prefix "NEW_HTTP_CONN: " A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this (single line split into 3 to fit this document): [4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to aPostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as logwatch, fwanalog,fwlogwatch, or lire.
|