Article Directory
Preface
System security is the main factor of the system. Compared with the Windows system, Linux has higher security in account security and permissions, which can prevent security accidents to a certain extent.
1. Account security measures
System account cleanup
Clean up infrequently used accounts to reduce account vulnerabilities.
Set the shell of non-login users to /sbin/nologin. At this time, the account will not
be able to log in. At this time, the 1-1 account will not be able to log in.
Lock
infrequently used accounts usermod -L username
passwd -S username view status
passwd -l username lock
passwd -u username unlock
Delete useless account
userdel -r User name
Lock account file
In Linux system, the password file is saved in shadow and appears as an encrypted string. There is only one password placeholder in passwd.
You can use chattr +i /etc/passwd /etc/shadow To lock the user's password, the user cannot modify the password after the
password is locked. The password file is now locked
chattr -i /etc/passwd /etc/shadow can unlock the file
lsattr +i /etc/passed /etc/shadow as a viewing command.
Account security settings
Password security control is
used to set the password validity period.
After the setting is completed, the user will be required to change the password the next time they log in.
Modify the password configuration file to specify the validity period of the password for new users. The file is located in /etc/login.defs
. Modify the maximum number of days to the number of days to be modified. For example, 15 days 99999 means indefinite period.
For existing users directly use chage -M days username,
you can set the password to change chage -d username at the next login
Command history is sometimes used. Therefore, the security record should be restricted. Reduce the number of recorded commands. Automatically log out the command when logging in.
Modify the configuration file of the command to achieve the purpose. The file is located in /etc/profile. The
variable is 1000 by default. Record 1000 historical commands can be modified to any value.
Modified to 200 records 200 historical commands.
Execute and view
This history command is also saved in the bash_history file, so you can use the redirection method to overwrite or clear the history command. After writing in the bashrc folder, you will not be able to see the previous command after restarting.
The command is echo ""> ~/.bash_history
Terminal logout can log out the terminal when it is idle to prevent others from logging in. The
method is the same as the command history
. Edit this in the same configuration file /etc/profile . This cannot be directly found. For example, the terminal automatically logs out after 300 seconds and 300 seconds
. The effective file is set in the figure .
Second, the use of SU commands and privilege escalation operations
1. Switch users
The basic function of su is to switch the user. The format is su-target user-means that the target user’s environment login shell is used
to switch the root user to other users without verifying the password. Normal users are switched to other users, and the target user’s password is to be verified.
Restricting the use of the su command can restrict certain users from switching accounts to improve security.
There are two methods. One is to join the wheel group and the other is to enable the PAM authentication module.
It is easier to add users who are allowed to use the su command to the wheel group.
The command format is gpasswd -a user name wheel grous for viewing.
Enter the /etv/pam.d/su folder and uncomment this line in the figure
The first line cannot be commented. If you comment the root account, you cannot use the Su command.
After pam.whell authentication is enabled, users who have not joined the wheel group will not be able to use the su command.
The sudo mechanism is used to execute authorized commands as other users (root).
Su authorized commands, but they must be configured before they can be used.
Configure in visudo or vim /etc/sudoers. The
format is user hostname = command program list.
vim /etc/sudoers is to directly modify the configuration file.
For example, grant 1-2 users in the wheel group to use the ifconfig command when saving! Because this is a read-only file.
Use visudo to use the template to edit the alias to raise the authority user_Alies Host_Alies Cmnd_Alies (alias must be in uppercase) The
figure is the edited template
. The first is to define the user name, the
second is to define the host name, and the
third is the program list
alias. Enable alias format as user hostname = command format list,
complete as follows
The command permissions for restart and shutdown are disabled on the picture
It cannot be executed without permission.
sudo still has the log function or edit
it in visudo. If you perform operations after switching users, they will be recorded in the /var/log/sudo file. The
first use of the sudo command requires a password aging time of 5 minutes. Use within 5 minutes without verifying the password.
su -l can check which permissions the current user has obtained.
2. PAM verification module
By default, anyone can use the su command, which can easily reveal the root user’s password, which brings security risks. The
PAM module is used to strengthen the su command. With the PAM authentication module, only a very few users are allowed to use the su command to switch.
The PAM pluggable authentication module
is an efficient, flexible and convenient user authentication method. It
is also a commonly used authentication method for Linux servers.
PAM authentication sequence
PAM diagram
Three switch machine security and password security
Blos boot
On the physical level, setting the first boot device to the hard disk where the current system is located is the safest to avoid network booting the system from the CD-ROM U disk and set the security level to setup, and set the administrator password.
GRUB restrictions
When you enter the system, you can modify the grub file by pressing the e key. There is a great hidden danger to the security of the server. You can set a password to protect it.
Use grub2-mkpasswd-pbkdf2 to generate a key.
Modify the /etc/grub.d/00_header file and add a password record to
generate a new grub.cfg configuration file.
Back up the password file first to avoid losing it.
Modify the configuration file, modify the user name as root and the password as an encrypted string
Generate a new grub2.cfg file. At this time, you need to enter the password to enter the menu to modify the configuration.
System login control authority
You can restrict the root user to log in only on a secure terminal and comment out the terminal in the /etc/securetty file.
Enter the configuration file.
For example, if you comment out tty5 and tty6, you cannot log in from the two terminals when you log in.
To prohibit ordinary users from logging in, you only need to create a nologin file.
Resuming login and deleting this file can be restarted and the file can be deleted or it can be deleted manually.
System password cracking
The system password (password) can be cracked by third-party software. The commonly used
icon is JR JOTH THE Ripper .
This is a cryptanalysis tool that supports dictionary-style brute force cracking. The password strength can be detected through the password string of the shadow folder.
First put the file into the system and decompress the software. The software needs to be compiled and installed in the C language. After the compilation and installation,
put the password file to be cracked into the directory. After brute force cracking is completed, the result will be automatically released.
The tool is based on the dictionary file. The dictionary file that comes with it is not particularly powerful. You can specify a dictionary file to decipher./john
--wordlist=./password.lst /opt/shadow.txt where password.lst is the built-in dictionary, you can specify a more powerful dictionary file.
Port scanning can evaluate network security performance by port detection. The
installation method is relatively simple. Yum installation can be installed without source code.
Use this tool to scan the open tcp port and udp port of the machine