Account security control and sudo authorization commands
- 1. Account security control
- Two, use the su command to switch users
- Three, PAM security authentication in linux
- Fourth, use the sudo mechanism to escalate rights
- Five, safety control of switch machine
1. Account security control
(1) System account cleaning
1. Set the shell of the non-login user to /sbin/nologin or /bin/falsh
usermod -s /sbin/nologin 用户名
2. Lock accounts that have not been used for a long time
usermod -L 用户名 锁定用户账户
usermod -U 用户 解锁用户账户
passwd -l 用户名 锁定用户密码
passwd -u 用户名 解锁用户账户
passwd -S 用户名 查看用户状态
3. Delete useless accounts
userdel -r 用户名 删除用户及其宿主目录
4. Clear an account password
passwd -d 用户名 清空账户密码
5. Lock account files passwd, shadow
chattr +i /etc/passwd /etc/shadow 锁定文件 (passwd和shadow可以同时锁定)
lsattr /etc/passwd /etc/shadow 查看文件状态
chattr -i /etc/passwd /etc/shadow 解锁文件
User account information stored in /etc/passwd and /etc/shadow, lock one can not create users and change passwords
(2) Password security control
1. Set the password validity period
chage -M 日期 用户 用户名 设置用户密码有效期 (适用已有用户)
chage -E xxxx-xx-xx 用户名 设置账户过期日期
vi /etc/login.defs 修改密码配置文件(适用于新建用户)
PASS_MAX_DAYS 30 修改之后的所有创建的用户有效期都会默认成30天
cat /etc/shadow | grep 用户名 查看密码有效日期是否配置成功
2. Force to change the password for the next login
chage -d 0 用户 强制在下次登陆时更改密码
cat /etc/shadow | grep 用户 shadow文件中的第三个字段被修改为0
(3) Command history restrictions
1. Reduce the number of recorded commands
The file /etc/profile is the system global variable configuration file, which can be read and reloaded by restarting the system or executing the source /etc/profile command.
[root@localhost ~]# vim /etc/profile 编辑全局变量配置文件
export HISTSIZE=150 默认1000条 输入=150
:wq
[root@localhost ~]# source /etc/profile 相当使/etc/profile内的命令重载一遍
[root@promote ~]#history
2. Automatically clear the history command when logging in
The commands in the ~/.bashrc file will be executed every time a new bash shell is opened (including the login system)
[root@localhost ~]# vim ~/.bashrc
echo " " > ~/.bash_history
:wq
init 6
history
(4) Automatically log off the terminal
Automatically log out after 600 seconds of inactivity, similar to the reduction of the number of historical records above, no demonstration
vi /etc/profile //编辑全局变量配置文件
export TMOUT=300 //输出timeout=300
. /etc/profile
Two, use the su command to switch users
1. Purpose and usage
Purpose: Substitute User, switch user
Format: su-target user
2. Password verification
- root—any user, no password verification
- Ordinary user—other users, verify the password of the target user
su-root with-option means that the target user's login shell environment will be used
(1) Restrict users from using the su command
- Add users allowed to use the su command to the wheel group
- Enable pam_wheel authentication module
The su command has security risks: The
su command makes each user have to repeatedly try the login password of other users. If it is the root user, the risk is even greater.
Therefore, it is necessary to strengthen the control of the use of the su command. You can use the PAM authentication module to allow only a very small number of designated users to use the su command to switch
Add users allowed to use the su command to the wheel group
gpasswd -a admin wheel 将用户“admin”加入到wheel组中
Set in the /etc/pam.d/su file to prohibit users from using the su command
vim /etc/pam.d/su
auth sufficient pam_rootok.so
............
#auth required pam_wheel.so use_uid
............
- The above two lines are in the default state (that is, open the first line and comment the second line). In this state, all users are allowed to use the su command to switch
- Commenting both lines also allows all users to use the su command, but using su under root to switch to other ordinary users requires a password; if the first line is not commented, root uses su to switch ordinary users without entering a password
(pam_rootok. The main function of the so module is to enable users whose uid is 0, that is, the root user can directly pass the authentication without entering a password) - If you turn on the second line, it means that only the root user and users in the wheel group can use the su command
- If you comment the first line and open the second line, it means that only users in the wheel group can use the su command, and the root user is also disabled.
View su operation record
Security log file: /var/log/secure
cat /var/log/secure
Three, PAM security authentication in linux
1. The hidden dangers of su command
- By default, any user is allowed to use the su command and has the opportunity to repeatedly try the login password of other users (such as root), which brings security risks
- In order to strengthen the control of the use of the su command, the PAM authentication module can be used to allow only a very few users to use the su command to switch
2. PAM pluggable authentication module
- It is an efficient, flexible and convenient user-level authentication method
- It is also a commonly used authentication method for Linux servers
3. Principles of PAM authentication
- PAM authentication generally follows the law
Service (service) → PAM (configuration file) → pam_*.soPAM authentication - First determine which service, then load the corresponding PAM configuration file (located under /etc/pam.d), and finally call the authentication file (located under /lib64/security) for security authentication
- When a user accesses the server, a certain service program of the server sends the user's request to the PAM module for authentication
- The PAM modules corresponding to different applications are different
If you want to check whether a program supports PAM authentication, you can use the ls command to check /etc/pam.d/
vim /etc/pam.d/su
1. The first column represents the type of PAM authentication module
- auth: Identify the user's identity, if prompted to enter a password, determine whether it is root.
- account: Check the various attributes of the account, such as whether it is allowed to log in to the system, whether the account has expired, whether it has reached the maximum number of users, etc.
- password: Use user information to update data, such as changing user passwords
- session: defines the session operation management to be performed before login and after logout, such as login connection information, opening and closing of user data, mounting file system
2. The second column represents the PAM control mark
- required: indicates that a success value needs to be returned. If the return fails, the failure result will not be returned immediately, but the next verification of the same type will continue. After all modules of this type are executed, the failure will be returned
- requisite: similar to required, but if this module returns a failure, it will immediately return failure and indicate that this type of failure
- Sufficient: If this module returns success, it returns success directly to the program, which means this type of success, if it fails, it does not affect the return value of this type
- optional: do not return success or failure, generally not used for verification, just display information (usually used for session type)
- include: Indicates that other PAM configuration files are called during the verification process. For example, many applications to achieve full certification by calling /etc/pam.d/system-auth (mainly responsible for user login system certification) without the need to re-configure the items one by one to write
PAM examples
User 1 | User 2 | User 3 | User 4 | |||
---|---|---|---|---|---|---|
auth | required | Module 1 | pass | fail | pass | pass |
auth | sufficient | Module 2 | pass | pass | fail | pass |
auth | required | Module 3 | pass | pass | pass | fail |
result | pass | fail | pass | pass |
3. The third column represents the PAM module, the default is in the /lib64/security/ directory, if it is not in the default path, fill in the absolute path
4. The fourth column represents the parameters of the PAM module, which needs to be added according to the module used.
Fourth, use the sudo mechanism to escalate rights
(I. Overview
1. sudo is an authorized command
Purpose: execute authorized commands as other users (such as root)
(2) Configure sudo authorization
1. Command:
visudo
或者
vi /etc/sudoers(此文件的默认权限为 440,保存退出时必须执行“:wq!”命令来强制操作)
2. Format
User host name=command program list
user host name=(user) command program list
- User: directly authorize the specified user name, or use the form of "% group name" (authorize all users in a group
- Host name: The host name that uses this rule. Localhost can be used if the host name is not configured, the actual host name is used if the host name is configured, and ALL means all hosts
- (User): In what identity the user can execute the command. This item can be omitted. By default, the command is run as the root user
- Command program list: The privileged commands that authorized users are allowed to execute through sudo mode. The full path of the command program needs to be filled in, and multiple commands are separated by commas ",". ALL means all commands in the system
case study:
admin ALL=/sbin/ifconfig //说明admin在所有主机上拥有ifconfig权限
admin1 localhost=/sbin/*,!/sbin/reboot,!/sbin/poweroff //通配符“*”表示所有、取反符号“!”表示排除 //说明admin1拥有除了重启和关机的所有权限
%wheel ALL=NOPASSWD: ALL //表示wheel组成员无需验证密码即可使用sudo执行任何命令
admin2 ALL=(root)NOPASSWD: /bin/kill, /usr/bin/killall //说明admin2用户不需要输入密码即可执行kill和killall命令
(3) Start sudo operation log
visudo //进入编辑
Defaults logfile = /var/log/sudo //将该命令添加至最后一行:wq保存并退出即可
(4) Alias creation
1. Format:
User alias User_Alias
Host alias Host_Alias
Command alias Cmnd_Alias
2. Example analysis:
User_Alias ADMIN=admin1,admin2,admin3 用户的别名users包括:admin1,admin2,admin3
Host_Alias HOST=localhost 主机别名hosts包括:localhost,hellolee
Cmnd_Alias CMD=/sbin/*,!/sbin/reboot,!/sbin/poweroff
ADMIN HOST=CMD 相当于:用户组 主机组 = 命令程序列表
Five, safety control of switch machine
1. Adjust the BIOS boot settings
- Set the first boot device to the hard disk where the current system is located
- Prohibit booting the system from other devices (CD, U disk, network)
- Set the security level to setup, and set the administrator password
2, GRUB restrictions - Use grub2-mkpasswd-pbkdf2 to generate a key
- Modify /etc/grub.d/00_header file, add password record
- Generate a new grub.cfg configuration file
(1) Restrict changes to GRUB boot parameters
1. Under normal circumstances, when the system is booted into the GRUB menu, press the e key to view and modify the GRUB boot parameters, which is a great threat to the server.
2. A password can be set for the GRUB menu, and only the correct password is allowed to modify the boot parameters.
grub2-mkpasswd-pbkdf2 //根据提示设置GRUB 菜单的密码
PBKDF2 hash of your password is …… //省略部分内容为经过加密生成的密码字符串
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak //备份文件
cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
vim /etc/grub.d/00_header
cat << EOF
set superusers="root" //设置用户名为root
password_pbkdf2 root 密码字符串 //设置密码,省略部分内容为经过加密生成的密码字符串
EOF
grub2-mkconfig -o /boot/grub2/grub.cfg //生成新的 grub.cfg 文件
1. Add a password generation string
2. Backup files
3. Modify the configuration file
vim /etc/grub.d/00_header
4. Verification result
(2) Prohibit root user login
In a Linux system, the login program will read the /etc/securetty file to determine which terminals (secure terminals) are allowed to log in to the system from the root user.
vi /etc/securetty
#tty5 //想要不让在哪个终端登陆就在该终端前加注释#
tty6
(3) Ordinary users are prohibited from logging in
The login program will check whether the /etc/nologin file exists, and if it exists, it will refuse ordinary users to log in to the system (root users are not restricted).
touch /etc/nologin //创建/etc/nologin文件即禁止普通用户登录
rm -rf /etc/nologin //删除该文件即取消登录限制