Account security
table of Contents
Forbid ordinary users to log in
Use su command to switch users
Restrict users from using the su command
PAM Security Authentication in Linux
The hidden dangers of su command
PAM pluggable authentication module
Principles of PAM authentication
PAM security certification process
System account cleanup
Prohibit root user login
In a Linux system, the login program will read the /etc/securetty file to determine which terminals (secure terminals) are allowed to log in to the system from the root user
vi /etc/securetty
#tty5
//If you want to prevent login in which terminal, add a comment in front of that terminal#
tty6
Forbid ordinary users to log in
The login program will check whether the /etc/nologin file exists, and if it exists, it will refuse ordinary users to log in to the system (root users are not restricted)
touch /etc/nologin
//Create the /etc/nologin file to prohibit ordinary users from logging in
rm -rf /etc/nologin
//Delete the file to cancel the login restriction
Password security control
change -M date user Set user password validity period
change -E xxxx-xx-xx set expiration date (year, month, day)
Set password validity period
vim /etc/login.defs ( for new users)
Force a user to change the password the next time they log in
chage -d 0 users
Prevent leaks of historical records
Criminals will check the record entered last time, which may lead to the disclosure of important information such as the root password
Reduce the number of recorded commands
vi /etc/profile
export HISTZIZE=200
Automatically clean up history when logging in
vim ~/.bashrc
echo " " > ~/.bash_history
Terminal automatic logout
Automatically log out when the terminal is idle for a period of time
vim /etc/profile
export TMOUT=600
Use su command to switch users
Substitute User , switch user
su- target user
Password validation
root→ any user, do not verify the password
ordinary user→other users, verify the password of the target user
Restrict users from using the su command
Add users who are allowed to use the su command to the wheel group to
enable the pam_wheel authentication module
PAM Security Authentication in Linux
The hidden dangers of su command
By default, any user is allowed to use the su command and has the opportunity to repeatedly try the login password of other users (such as root), which brings security risks
In order to strengthen the control of the use of the su command, the PAM authentication module can be used to allow only a very few users to use the su command to switch
PAM pluggable authentication module
It is an efficient, flexible and convenient user-level authentication method
It is also a commonly used authentication method for Linux servers
Principles of PAM authentication
General rule
Service → PAM (configuration file) → pam_*.so
First determine which service, then load the corresponding PAM configuration file (located under /etc/pam.d), and finally call the authentication file (located under /lib64/security) for security authentication
When a user accesses the server, a certain service program of the server sends the user's request to the PAM module for authentication
The PAM modules corresponding to different applications are different
If you want to check whether a program supports PAM authentication, you can use the ls command to check /etc/pam.d/
The first column represents the type of PAM authentication module
auth: Identify the user's identity, if prompted to enter a password, determine whether it is root.
account: Check the various attributes of the account, such as whether it is allowed to log in to the system, whether the account has expired, whether it has reached the maximum number of users, etc.
password: Use user information to update data, such as modifying user passwords.
session: Defines the session operation management to be performed before login and after logout, such as login connection information, opening and closing of user data, and mounting the file system.
The second column represents the PAM control flag
required: indicates that a success value needs to be returned. If the return fails, the failure result will not be returned immediately, but the next verification of the same type will continue. After all modules of this type are executed, the failure will be returned.
requisite: similar to required, but if this module returns a failure, it will immediately return failure and indicate that this type of failure has failed.
Sufficient: If this module returns success, it returns success directly to the program, indicating that this type of success, if it fails, it does not affect the return value of this type.
optional: Do not return success or failure, generally not used for verification, just display information (usually used for session type).
include: Indicates that other PAM configuration files are called during the verification process. For example, many applications implement authentication by completely calling /etc/pam.d/system-auth (mainly responsible for the authentication of the user's login system) without the need to rewrite configuration items one by one.
The third column represents the PAM module. The default is in the /lib64/security/ directory. If it is not in the default path, fill in the absolute path.
The fourth column represents the parameters of the PAM module, which needs to be added according to the module used
PAM security certification process