Article Directory
Basic account security measures
System account cleanup
Set the shell of non-login users to /sbin/nologin
usermod -s /sbin/nologin user name
Lock the long-term unused account
usermod -L user name passwd -l user name
passwd -S user name (view)
delete useless account
userdel [-r] Username
Lock account files passwd, shadow (cannot create users and modify passwords)
chattr +i /etc/passwd /etc/shaow (lock files)
lsattr /etc/passwd /etc/shadow (view files)
chattr- i /etc/passwd /etc/shadow (unlock file)
Password security control
1. Set the password validity period
cat /etc/shadow (view information)
-
Create a new user
vi /etc/login.defs
……
PASS_MAX_DAYS 30
-
Existing user
chage -M 30 lisi
2. The user is required to change the password when logging in next time
chage -d 0 zhangsan
Command history limit
history (view history commands)
reduce the number of recorded commands
vim /etc/profile
Automatically clear the command history when logging out
vim .bash_rc
Terminal automatic logout
Automatically log out
vim /etc/profile after 600 seconds of inactivity
SU command to switch users
Purpose and usage
Purpose: switch user
Format: su-target user
Password validation
- rootany user, no password verification
- Ordinary user other users, verify the password of the target user
Restrict users who use the su command
Add users who are allowed to use the su command to the wheel group.
Enable the pam_wheel authentication module
vim /etc/pam.d/su. It
can be seen that accounts added to the wheel group can use the su command, but accounts that have not joined the wheel group cannot use the su command.
Set in the /etc/pam.d/su file to prohibit users from using the su command
vim /etc/pam.d/su
auth sufficient pam_rootok.so
…
#auth required pam_wheel.so use_uid
…
a) The above two lines are the default state (ie Open the first line and comment the second line). In this state, all users are allowed to use the su command to switch.
b) Both lines are commented and all users can use the su command. However, using su under root to switch to other ordinary users requires a password; if the first line is not commented, root uses su to switch ordinary users without entering a password ( The main function of the pam_rootok.so module is to enable users whose uid is 0, that is, the root user can directly pass the authentication without entering a password.)
c) If the second line is turned on, it means that only the root user and users in the wheel group can use su command.
d) If you comment the first line and open the second line, it means that only users in the wheel group can use the su command, and the root user is also forbidden to use the su command.
PAM Security Authentication in Linux
The hidden dangers of su command
- By default, any user is allowed to use the su command and has the opportunity to repeatedly try the login password of other users (such as root), which brings security risks
- In order to strengthen the control of the use of the su command, the PAM authentication module can be used to allow only a very few users to use the su command to switch
PAM pluggable authentication module
- It is an efficient, flexible and convenient user-level authentication method
- It is also the commonly used authentication method for Linux servers
- Linux-PAM is a linux pluggable authentication module, a set of customizable and dynamically loadable shared libraries, so that the local system administrator can choose the authentication method of the program at will.
PAM uses the configuration file under /etc/pam.d/ to manage the authentication method of the program. The application program calls the corresponding PAM configuration file to call the local authentication module. The module is placed under /lib64/security to perform authentication in the form of loading a dynamic library. For example, when using the su command, the system will prompt to enter the password of the root user, which is achieved by the su command by calling the PAM module.
Principles of PAM authentication
- PAM authentication generally follows the order: Service (service) -> PAM (configuration file) -> pam_*.so;
- PAM authentication must first determine which application service, then load the corresponding PAM configuration file (located under /etc/pam.d), and finally call the authentication module (located under /lib64/security/) for security authentication.
- When a user accesses the server, a certain service program of the server sends the user's request to the PAM module for authentication. The PAM modules corresponding to different applications are also different.
- If you want to check whether a program supports PAM authentication, you can use the ls command to check /etc/pam.d/.
The composition of PAM certification
To check whether a program supports PAM authentication, you can use the ls command
- Example: Check whether su supports PAM module authentication
ls /etc/pam.d | grep su
View the PAM configuration file of su: cat /etc/pam.d/su
- Each line is an independent certification process
- Each row can be divided into three fields
- Type of certification
- Control type
- PAM module and its parameters
The first column represents the PAM authentication module type
auth: to identify the user's identity, if prompted to enter a password, determine whether it is root.
account: Check the various attributes of the account, such as whether it is allowed to log in to the system, whether the account has expired, whether it has reached the maximum number of users, etc.
password: Use user information to update data, such as modifying user passwords.
session: Defines the session operation management to be performed before login and after logout, such as login connection information, opening and closing of user data, and mounting the file system.
The second column represents the PAM control flag
required: it means that a success value needs to be returned. If the return fails, the failure result will not be returned immediately, but the next verification of the same type will continue. After all modules of this type have been executed, Return failed.
requisite: similar to required, but if this module returns a failure, it will immediately return failure and indicate that this type of failure has failed.
Sufficient: If this module returns success, it returns success directly to the program, indicating that this type of success, if it fails, it does not affect the return value of this type.
optional: Do not return success or failure, generally not used for verification, just display information (usually used for session type).
include: Indicates that other PAM configuration files are called during the verification process. For example, many applications implement authentication by completely calling /etc/pam.d/system-auth (mainly responsible for the authentication of the user's login system) without the need to rewrite configuration items one by one.
The third column represents the PAM module. The default is in the /lib64/security/ directory. If it is not in the default path, fill in the absolute path.
The same module can appear in different module types, and it performs different operations in different types. This is because each module has different execution functions for different module types.
The fourth column represents the parameters of the PAM module, which needs to be added according to the module used.
The parameters passed to the module. There can be multiple parameters, separated by spaces
Supplementary description of the control mark:
required: indicates that the success of the row and the module involved is the [ necessary condition ] for the user to pass the authentication . In other words, only when all required modules corresponding to the application program have all succeeded, the program can pass the authentication. At the same time, if any module with the required mark has an error, PAM does not immediately return the error message to the application program, but returns the error message to the program that called it after all modules of this type have been called.
To put it bluntly anyway, all modules of this type must be executed once. If any one of the modules fails to verify, the verification will continue, and the error message will be returned after the execution is complete. The purpose of this is to prevent users from knowing which module they are rejected, and to protect system services in a hidden way. Just like setting the deny rules to drop when setting firewall rules, so that users cannot accurately determine whether they are denied or the target network is unreachable when accessing the network is unsuccessful.
requisite: Similar to required, only after the module with this mark returns successfully, the user can pass the authentication. The difference is that once it fails, it will no longer execute other modules behind in the heap, and the authentication process ends here, and an error message will be returned immediately. Compared with the above required, it seems to be more open and fair.
Sufficient: Indicates that the successful verification of the line and the module involved is a [ sufficient condition ] for the user to pass the authentication . That is to say, as long as the module marked as sufficient is verified successfully, PAM will immediately return a successful result to the application without having to try any other modules. It is the same even if the requisite or required control flags are used in the subsequent cascading modules. When the module marked as sufficient fails, the sufficient module will be treated as an optional. Therefore, the configuration item with sufficient flag will not cause the entire verification to fail when the verification is performed incorrectly, but the door is opened when the verification is successful. Therefore, the use of this control bit must be cautious.
optional: It means that the user can still pass the authentication even if the verification of the module involved in the row fails. In the PAM system, the module with this mark will continue to process the next module after it fails. That is to say, even if the verification of the module specified by the bank fails, the user is allowed to enjoy the services provided by the application. Using this flag, the PAM framework will ignore the verification error generated by this module and continue to execute the next cascaded module in sequence.
PAM security certification process
The control type is also called Control Flags, which is used to return the result of the PAM verification type
- If required verification fails, continue, but return Fail
- If the requisite verification fails, the entire verification process will be ended immediately and Fail will be returned
- If sufficient verification succeeds, it will return immediately and will not continue, otherwise the result will be ignored and continue
- Optional is not used for verification, but only displays information
(usually used for session types).
Examples:
| User One | User two | User Three | User four | |||
|---|---|---|---|---|---|---|
| auth | required | Module 1 | pass | fail | pass | pass |
| auth | sufficient | Module 2 | pass | pass | fail | pass |
| auth | required | Module 3 | pass | pass | pass | fail |
| result | pass | fail | pass | pass |
Use sudo mechanism to elevate permissions
The purpose and usage of sudo command
Purpose: execute authorized commands as other users (such as root)
Usage: sudo authorized commands
Configure sudo authorization
visudo
or
vi /etc/sudoers (the default permission of this file is 440, you must execute the ":wq!" command to force the operation when saving and exiting)
Use "," to separate, "!" to negate the sign
Syntax format:
User host name = command program list
User host name = (user) command program list
User: directly authorize the specified user name, or use the form of "% group name" (authorize all users in a group).
Host name: The host name that uses this rule. Localhost can be used if the host name is not configured, the actual host name is used if the host name is configured, and ALL means all hosts
(User): In what identity the user can execute the command. This item can be omitted. By default, the command is run as the root user.
Command program list: Allows authorized users to execute privileged commands through sudo. You need to fill in the full path of the command program, and put a comma "," between multiple commands. Separate. ALL means all the commands in the system.
Example:
Tom ALL=/sbin/ifconfig
Jerry localhost=/sbin/ ,!/sbin/reboot,!/sbin/poweroff #The wildcard " " means all, the negated symbol "!" means exclude
%wheel ALL=NOPASSWD: ALL #Indicates that members of the wheel group can execute any command with sudo without verifying the password.
Mike ALL=(root)NOPASSWD: /bin/kill, /usr/bin/killall
Use keywords User_Alias, Host_Alias, Cmnd_Alias to set aliases (alias must be uppercase)
User_Alias USERS=Tom,Jerry,Mike
Host_Alias HOSTS=localhost,bogon
Cmnd_Alias CMNDS=/sbin/ifconfig,/usr/sbin/useradd,/usr/ sbin/userdel
USERS HOSTS=CMNDS
Enable sudo operation log
visudo
Defaults logfile = “/var/log/sudo”
Switch machine safety control
Adjust the BIOS boot settings. Set
the first boot device to the hard disk where the current system is located.
Prohibit booting the system from other devices (CD, USB, network).
Set the security level to setup and set the administrator password
GRUB to restrict the
use of grub2-mkpasswd-pbkdf2 Key
Modify the /etc/grub.d/00_header file and add a password record to
generate a new grub.cfg configuration file
Restrict changes to GRUB boot parameters
Under normal circumstances, when the system is booted into the GRUB menu, press the e key to view and modify the GRUB boot parameters, which is a great threat to the server.
A password can be set for the GRUB menu, and only the correct password is allowed to modify the boot parameters.
Experimental configuration
grub2-mkpasswd-pbkdf2 #Set the password of the GRUB menu according to the prompt
PBKDF2 hash of your password is grub.pbkdf2…… #Part of the content omitted is the encrypted password string
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
vim /etc/grub.d/00_header
cat << EOF
set superusers="root"
#Set the user name as root password_pbkdf2 root grub.pbkdf2…… #Set the password, and omit part of the content to be the encrypted password string
EOF
grub2-mkconfig -o /boot/grub2/grub.cfg #Generate a new grub.cfg file
When restarting the system and entering the GRUB menu, pressing the e key will need to enter the account password to modify the boot parameters.
Prohibit root user login
In a Linux system, the login program will read the /etc/securetty file to determine which terminals (secure terminals) are allowed to log in to the system from the root user.
vi /etc/securetty
#tty5
#tty6
Forbid ordinary users to log in
The login program will check whether the /etc/nologin file exists, and if it exists, it will refuse ordinary users to log in to the system (root users are not restricted).
touch /etc/nologin #Prohibit ordinary users from logging in
rm -rf /etc/nologin #Cancel login restrictions
System weak password detection
Joth the Ripper, referred to as JR
A cryptanalysis tool that supports dictionary-style brute force cracking.
Through password analysis of shadow files, password strength can be detected
Install JR tools
Installation method: make clean system type
main program file is john
Detect weak password accounts
Obtain the shadow file of the Linux/Unix server
Execute the john program, and use the shadow file as a parameter
Brute force cracking of password files
Prepare the password dictionary file, the default is password.lst to
execute the john program, combined with -wordlist=dictionary file
Configuration
#Unzip the toolkit
cd /opt
tar zxf john-1.8.0.tar.gz #Install the
software compilation tool
yum install -y gcc gcc-c++ make #Switch
to the src subdirectory
cd /opt/john-1.8.0/src
# Compile and install
make clean linux-x86-64 #Prepare
the password file to be cracked
cp /etc/shadow /opt/shadow.txt #Execute
brute force cracking
cd /opt/john-1.8.0/run
./john /opt/shadow .txt #View the
list of accounts that have been cracked. /
john --show /opt/shadow.txt
#Use the password dictionary file:> john.pot #Empty the account list that has been cracked for
reanalysis. /john --wordlist=./password.lst /opt/shadow.txt #Use the specified dictionary file to crack
Network Scan-NMAP
NMAP is a powerful port scanning security evaluation tool that supports ping scanning, multi-port detection and other technologies
#Install the NMAP software package
rpm -qa | grep nmap
yum install -y nmap
Common options and scan types of nmap command
-p: Specify the port to scan.
-n: Disable reverse DNS resolution (to speed up scanning).
-sS: TCP SYN scan (half-open scan), only SYN packets are sent to the target. If a SYN/ACK response packet is received, the target port is considered to be listening and the connection is immediately disconnected; otherwise, the target port is considered not open.
-sT: TCP connection scan, this is a complete TCP scan method (default scan type), used to establish a TCP connection, if successful, the target port is considered to be listening for services, otherwise the target port is considered not open.
-sF: TCP FIN scan, open ports will ignore such packets, closed ports will respond to RST packets. Many firewalls only simply filter SYN packets and ignore other forms of TCP attack packets. This type of scan can indirectly detect the robustness of the firewall.
-sU: UDP scan, to detect which UDP services the target host provides, the speed of UDP scan will be slower.
-sP: ICMP scan, similar to ping detection, quickly judge whether the target host is alive, and do not perform other scans.
-P0: Skip ping detection. This method considers that all target hosts are alive. When the other party does not respond to ICMP requests, using this method can avoid abandoning scanning due to failure to ping.
netstat -natp View the running network status information using TCP protocol
netstat -naup View the status information of the running network using the UDP protocol
Example
#Check the open TCP port and UDP port of this machine respectively
nmap -sT 127.0.0.1
nmap -sU 127.0.0.1
#Detect which hosts on the 192.168.4.0/24 network segment provide HTTP services
nmap -p 80 192.168.4.0/24
#Detect which surviving hosts are on the 192.168.4.0/24 network segment nmap -n -sP 192.168.4.0/24
Common options of the natstat command:
-a: Display all active network connection information in the host (including service ports in listening and non-monitoring states).
-n: Display related host address, port and other information in the form of numbers.
-t: View TCP-related information.
-u: Display information related to UDP protocol.
-p: Display the process number and process name information associated with the network connection (this option requires root privileges).
-r: Display routing table information.
-l: Display the network connection and port information in the monitoring state.