1. Basic security implementation
1. Lock users and lock files
1) Lock account
[root@localhost ~]# usermod -L lisi //锁定账户
[root@localhost ~]# passwd -S lisi //查看账户状态
lisi LK 1969-12-31 0 99999 7 -1 (密码已被锁定。)
[root@localhost ~]# usermod -U lisi //解锁
[root@localhost ~]# passwd -S lisi
lisi PS 1969-12-31 0 99999 7 -1 (密码已设置,使用 SHA512 算法。)2) Lock the file
After locking the /etc/passwd and /etc/passwd files, creating users and assigning passwords cannot be executed.
[root@localhost ~]# chattr +i /etc/passwd /etc/passwd //锁定文件
[root@localhost ~]# lsattr /etc/passwd /etc/passwd //查看锁定文件状态
----i----------- /etc/passwd
----i----------- /etc/passwd
[root@localhost ~]# useradd zhangsan //锁定文件后创建用户和赋予密码都执行不能执行了
useradd:无法打开 /etc/passwd
[root@localhost ~]# chattr -i /etc/passwd /etc/passwd //解锁文件
[root@localhost ~]# useradd zhangsan
[root@localhost ~]# passwd zhangsan
更改用户 zhangsan 的密码 。
新的 密码:
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。2. Security password control
1) Set the password validity period (chage is used to set the password time limit)
[root@localhost ~]# vim /etc/login.defs //针对新用户
PASS_MAX_DAYS 7 //更改密码有效期为7天
[root@localhost ~]# chage -M 77 zhangsan //针对已有用户,有效期为77天
[root@localhost ~]# tail /etc/shadow //查看2) Set the password to change the next time you log in, otherwise it will refuse to log in
[root@localhost ~]# chage -d 0 zhangsan //下次登录时重设置密码3. History commands, automatic logout
1) Modify the number of historical commands
In the bash terminal environment, the record of historical commands is controlled by the variable HISTSIZE, which is 1000 by default. You can change the content of the /etc/profile file to set the number of historical commands.
[root@localhost ~]# vim /etc/profile //针对新用户
HISTSIZE=500 //修改为500条历史命令
[root@localhost ~]# export HISTSIZE=200 //针对已有用户,修改为200条2) After exiting the bash environment, the history commands are automatically cleared
Modify the host directory ~/.bash_logout file and add operation statements for clearing history commands
[root@localhost ~]# vim ~/.bash_logout
history -c
clear
[root@localhost ~]# source .bash_logout //刷新3) Set the timeout period
Idle timeout is controlled by the variable TMOUT, the default unit is second (s), change the /etc/profile file setting
[root@localhost ~]# vim /etc/profile //针对新用户
export TMOUT=600 //600秒无人操作自动注销终端
[root@localhost ~]# export TMOUT=600 //针对已有用户4. User switching
1) su command-switch user
[root@localhost ~]# su zhangsan
[zhangsan@localhost root]$ su root
密码:2) Set up individual users to use the su command
With the pam-wheel authentication module, only individual users are allowed to use the su command, and you can modify /etc/pam.d/su to enable pam-wheel
[root@localhost ~]# gpasswd -a zhangsan wheel //添加用户到wheel组里面
正在将用户“zhangsan”加入到“wheel”组中
[root@localhost ~]# grep wheel /etc/group //验证是否是wheel组成员
wheel:x:10:zhangsan
[root@localhost ~]# vim /etc/pam.d/su
auth required pam_wheel.so use_uid
//去#号,去掉以后表示只有wheel组成员才能使用su命令
[lisi@localhost root]$ su root //测试
密码:
su: 拒绝权限5. Elevate the execution authority-sudo command
1) User setting permissions
In the configuration file /etc/sudoers , the authorization format is
user MACHINE COMMANDS
Authorization mainly includes three parts: user, host, and command
User (user): directly authorize the specified user name, or use the form of "% group name" (authorize all users in the group)
Host (MACHINE): Use the host name of this configuration file, which is mainly convenient for multiple hosts to share a sudoers file, generally set localhost or the actual host name
Command (COMMANDS): fill in the full path of the command program, separated by "," commas
[root@localhost ~]# vim /etc/sudoers
zhangsan localhost.localdomain=/sbin/ifconfig //设置zhangsan有使用ifcfing命令的权限
%wheel ALL=NOPASSWD:ALL //设置wheel组里面成员不用使用密码,zhangsan没加组里,所以下面需要密码
[root@localhost ~]# su zhangsan
[zhangsan@localhost root]$ sudo ifconfig ens33 192.168.1.1 //使用命令前加sudo
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for zhangsan: //zhangsan密码
note:
You need to add sudo before using the sudo command
The sudo command allows the use of wildcard "*" and negation "!"
2) Check which sudo permissions the user has obtained
[root@localhost ~]# sudo -lIf you enable the log, you can see the sudo operation record from the /var/log/sudo/ file
[root@localhost ~]# tail /var/log/sudoTwo, system boot and login control
1. Prohibit shortcut keys to restart
[root@localhost ~]# ll /usr/lib/systemd/system/ctrl-alt-del.target //查看是链接文件
lrwxrwxrwx. 1 root root 13 5月 7 2018 /usr/lib/systemd/system/ctrl-alt-del.target -> reboot.target
[root@localhost ~]# systemctl mask ctrl-alt-del.target //注销ctrl-alt-del.target
Created symlink from /etc/systemd/system/ctrl-alt-del.target to /dev/null.
[root@localhost ~]# systemctl daemon-reload //重新加载system配置
2. Set GRUB password
Set the password to use, the grub2-mkpasswd-pbkdf2 command is generated, and the generated password is stored in the /etc/grub.d/00_header configuration file.
[root@localhost ~]# grub2-mkpasswd-pbkdf2
输入口令: //设置密码
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.37B241BE7B9B7AA1FE3631633F2B9FACF0C68133C8D53DF1BCDFA029A5E75B6031D99736281F45EDE65737D4145719C4A18D4F26948C9B85F1C3EE1F6DDECA5C.21F50377A7E3D5BD8C60C5FD580C48A3518AEF747E21A7D0449C9F0B5EC589FB50B8EA0D531279B7C78A15C1867D70F68E1A7BA1B8E59BACDE77CDC1F96B465A
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak //备份
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak //备份
[root@localhost ~]# vim /etc/grub.d/00_header //把经加密后的字符串添加至文件末尾
cat << EOF
set superusers="root" //用户设置为root
password_pbkdf2 root grub.pbkdf2.sha512.10000.37B241BE7B9B7AA1FE3631633F2B9FACF0C68133C8D53DF1BCDFA029A5E75B6031D99736281F45EDE65737D4145719C4A18D4F26948C9B85F1C3EE1F6DDECA5C.21F50377A7E3D5BD8C60C5FD580C48A3518AEF747E21A7D0449C9F0B5EC589FB50B8EA0D531279B7C78A15C1867D70F68E1A7BA1B8E59BACDE77CDC1F96B465A
EOF
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg //生成新grub.cf的文件
3. Terminal login control
1) Prohibit root user to log in to the terminal
[root@localhost ~]# vim /etc/securetty
#tty5 //禁止root在5,6终端登录
#tty62) Forbid ordinary users to log in
To prohibit new users from logging in to the system, the login program will check whether the /etc/noloin file exists, and if it exists, it will prohibit new users from logging in to the system.
[root@localhost ~]# touch /etc/noloinThree, weak password detection, port scanning
1. Weak password detection--john the ripper
Source package installation: link: https://pan.baidu.com/s/1Sxyr1Vt4Y8WyBhEv6bQk7w
Extraction code: a2gt
John the ripper is an open source software password cracking tool that can analyze the plaintext password string in the known ciphertext and supports multiple encryption algorithms.
1) Download and compile john the ripper
After decompression, you can see the three files are doc (manual document), run (run program), src (source file)
[root@localhost mnt]# tar zxf john-1.8.0.tar.gz -C /usr/src/
[root@localhost mnt]# cd /usr/src/john-1.8.0/
[root@localhost john-1.8.0]# cd src/
[root@localhost src]# make clean linux-x86-64 //编译安装
[root@localhost src]# ls ../run/john //确认生成可执行john文件
../run/john2) Detect weak passwords
Crack the plaintext for the /etc/shadow ciphertext file
[root@localhost src]# cp /etc/shadow /root/shadow.txt //准备待破解文件
[root@localhost src]# cd .. /run/
[root@localhost john-1.8.0]# cd run/ //执行暴力破解
[root@localhost run]# ./john /root/shadow.txt
Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for stat
123456 (root) //结果
123 (lisi) //结果
[root@localhost run]# ./john --show /root/shadow.txt //查看已破解账户列表
root:123456::0:99999:7:::
lisi:123::0:99999:7:::
2 password hashes cracked, 1 left3) Use a password dictionary file
Password dictionary is very important for brute force password cracking. The dictionary file provided by john the ripper by default is password.lst, which lists 3000 common weak passwords. Users can add more password combinations (birthday, birthday, Etc.) It is easier to crack the password. Of course, you can also write the dictionary yourself. The following demonstration is to write the dictionary by yourself as aaa.txt
[root@localhost run]# :> john.pot //清空已破解账户列表
[root@localhost run]# vim aaa.txt //新建词典
qinziteng
qinziteng666
[root@localhost run]# ./john --wordlist=/aaa.txt /root/shadow.txt
Note: --wordlist= followed by the dictionary name, you can use your own dictionary, or you can write your own dictionary
2. Network scanning--nmap
1) Install nmap
[root@localhost yum.repos.d]# yum -y install nmap //安装nmap2) Grammar and type
Nmap scan is located in /usr/bin/nmap , the command format is as follows
nmap [scan type] [options] <scan target>
Common options are
Case study
Scan common tcp ports
[root@localhost ~]# nmap 127.0.0.1 //扫描常用tcp端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-07 21:41 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
Scan common udp ports
[root@localhost ~]# nmap -sU 127.0.0.1 //扫描常用udp端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-07 21:44 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
Check those in the 192.168.1.0/24 network segment that provide ftp services -p designated ports
[root@localhost ~]# nmap -p 21 192.168.1.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-07 21:46 CST
setup_target: failed to determine route to 192.168.1.0
setup_target: failed to determine route to 192.168.1.1
setup_target: failed to determine route to 192.168.1.2
setup_target: failed to determine route to 192.168.1.3
setup_target: failed to determine route to 192.168.1.4
Check the surviving hosts on the 192.168.1.0/24 network segment
[root@localhost ~]# nmap -n -sP 192.168.1.0/24192.168.1.0/24
Check which file sharing services are enabled on 192.168.1.100-200
[root@localhost ~]# nmap -p 139,445 192.168.1.100-200