Monday, April 16, 2007

User Restriction on remote SSL connection

Here's the original source: OpenSSH Root user account restriction - revisited .

-- “I need something that allows me to say: allow any users except root from anywhere, and root only from localhost. (over ssh session)”.

PAM offers very powerful authentication control.
You need to use the pam_access PAM module, which is mainly for access management. It provides login access control based on Login names, Host or domain names, Internet addresses, or network IP numbers, Terminal line names etc.

Why pam_access matters?
On a production server, authorized login can come from any networked computer. Therefore, it is important to have tight control over users who are allowed to connect server via OpenSSH server.

How do I configure pam_access?
You need to edit following files:
/etc/pam.d/sshd - Linux PAM configuration file.
/etc/security/access.conf - By default rules for access management are taken from configuration this file. When someone logs in, the entry in this scanned and matched against rule. You can specify whether the login will be accepted or refused to user. General syntax is as follows:
permission : username: origins
Where,
permission : Permission field should be a “+” (access granted) or “-” (access denied)character.
username : Linux system username/login name such as root, yelei etc. You can also specify group names. You can also use special keywod ALL (to match all username).
origins : It is a list of one ore more tty names, host name, IP address, domain names that begin with . or special key words ALL or LOCAL Let us say you want to allow user root and yelei login from IP address 202.54.1.20 only.

Open file /etc/security/access.conf, and append following line:
-: ALL EXCEPT root yelei:202.54.1.20
Save the file and Open /etc/pam.d/sshd file, and append following entry:
account required pam_access.so
Save and close the file.

Thursday, April 12, 2007

Reload httpd.conf in Apache http server

Before reloading the httpd.conf file, you'd better use "apachectl configtest" to check if the conf file is valid.
According to "man apachectl":
apachectl restart - Restarts the Apache daemon by sending it a SIGHUP. If the daemon is not running, it is started. This command automatically checks the configuration files via configtest before initiating the restart to make sure Apache doesn't die.
apachectl graceful - Gracefully restarts the Apache daemon by sending it a SIGUSR1. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted. A side effect is that old log files will not be closed immediately. This means that if used in a log rotation script, a substantial delay may be necessary to ensure that the old log files are closed before processing them. This command automatically checks the configuration files via configtest before initiating the restart to make sure Apache doesn't die.
The 'graceful' would only be required if you are updating an active in-service machine and you do not want to interupt active connections.

Tuesday, April 10, 2007

A good article about CSS positioning

Here's a good article about CSS positioning (css positioning) at BrainJar.com .
Some other sources for CSS:
Kevin Hale's - An Overview of Current CSS Layout Techniques
htmldog's CSS Beginner's Guide
Mulder's Stylesheets Tutorial
yourhtmlsource.com