1.Linux basic precautions
issue
in this case requires basic precautions practice Linux system, complete the following tasks:
1) prohibit ordinary users reboot, halt, poweroff program
2) modify the user's account zhangsan property, set 2015-12- 31 fail (prohibition sign in)
3) lisi lock the user's account, it can not login, verify the effect unlock
4) lock files /etc/resolv.conf,/etc/hosts, to prevent their contents from being inadvertently modified
5 ) modify tty terminal prompt, so that the first line of text before login seen as "Windows Server 2012 Enterprise R2", the second line of text is "NT 6.2 Hybrid"
steps
to achieve this case need to follow the steps below.
Step one: prohibit ordinary users reboot, halt, poweroff program
1) test the default console application permissions
ConsoleHelper mechanism Linux system allows ordinary users to execute privileged part of the program, to facilitate the users to use Linux hosts. For example, the average user (such as zengye) After logging in, you can perform reboot to restart the Linux system, it can also perform poweroff to shut down the system.
By default, the configuration program on the console /etc/security/console.apps/ directory:
[SVR5 the root @ ~] # LS /etc/security/console.apps/
the authconfig-HALT Subscription Manager System-config- keyboard
Subscription-GTK-the poweroff the authconfig Manager GUI-config-Network-System
the authconfig TUI reboot System-config-authentication-Network-System-config-cmd
config-util the rhn_register System-config-DATE-config-System Users
EJECT System Setup-config- xserver kdump
2) prohibits individual high-risk console programs
simply remove the reboot from /etc/security/console.apps/ directory, halt, power configuration command, ordinary users will lose permission to execute these programs.
Use tar archive backup these files, combine -remove option after completion packed archived file deletion:
[root @ SVR5 ~] # cd /etc/security/console.apps/
[root @ SVR5 console.apps] pw-app.tgz tar zcpvf # reboot the HALT poweroff --remove
reboot
the HALT
poweroff
confirm the removal of the results:
[root @ SVR5 console.apps] # LS poweroff reboot the HALT
ls: can not access the reboot: no such file or directory
ls: can not access halt: no such file or directory
ls: can not access poweroff: No such file or directory
3) test results to adjust
again when the reboot and other procedures as a normal user, will not work:
[zengye @ localhost ~] $ Which reboot
/ usr / bin / reboot
[zengye @ localhost ~] $ reboot
[zengye @ localhost ~] $
step two: modify the user's account zhangsan property, set the date of expiry 2015-12-31 (prohibition login)
1) unexpired normal user account can log on
as a user login zhangsan test.
2) failure of the user can not log in
using the chage command as the current user zhangsan account has expired (for example the day before):
[root @ SVR5 ~] # DATE
2015 Nian 05 Yue 16 CST Saturday 14:16:25
[root @ svr5 ~] # chage -E 2015-05-15 zhangsan // set one day before the day of the
attempt to re-login user zhangsan, enter the correct user name, password, direct flash back, return to the login page, indicating that this account has expired .
3) Reset zhangsan user attributes, the expiration time is set to 2015-12-31
[SVR5 the root @ ~] # zhangsan the chage -E 2015-12-31 // modify the expiration date
[root @ svr5 ~] # chage -l zhangsan // view account information age,
Last password Change: On May 15,, 2015
Password Expires: Never
Password inactive: Never
the Account Expires: On Dec 31 is,, 2015
Minimum Number of Days BETWEEN password Change: 0
the Maximum Number of Days BETWEEN password Change: 99999
Number The of Days of warning before password Expires: 7
step three: lock lisi user's account, it can not log in, unlocked after verify the effect of
1) unlocked normal user account can log in
to the user log on lisi test.
2) lock the user account
using the passwd command or the usermod lisi user's account is locked.
[root @ svr5 ~] # passwd -l lisi // lock the user account
lock the user lisi password.
passwd: Successful operation
[root @ svr5 ~] # passwd -S lisi // check the status of
lisi LK 2013-08-14 0 99999 7 -1 (password is locked.)
3) verify that the user lisi has been unable to log in, indicating locked into force
the user to enter the correct name, password, always prompt "Login incorrect", can not log on.
4) lock is released lisi user
[root @ svr5 ~] # passwd -u lisi // unlock the user account
unlock the user lisi password.
passwd: Successful operation
[root @ svr5 ~] # passwd -S lisi // check the status of
lisi PS 2013-08-14 0 99999 7 -1 (password has been set, use SHA512 encryption.)
Step Four: lock file /etc/resolv.conf,/ etc / the hosts
. 1) using chattr lock files, lsattr confirmation result
[SVR5 the root @ ~] # chattr + I /etc/resolv.conf / etc / the hosts
[SVR5 the root @ ~] # the lsattr /etc/resolv.conf / etc / the hosts
---- -------- E- /etc/resolv.conf I
---- I -------- E- / etc / the hosts
2) test file locking effect
[root @ ~ SVR5] # RM -rf /etc/resolv.conf
RM: Can not delete "/etc/resolv.conf": do not allow the operation of
[root @ SVR5 ~] # echo "192.168.4.1 gateway.tarena.com " >> / etc / hosts
bash: / etc / hosts: enough authority
3) to recover both the original file attributes (to avoid influence subsequent experiments)
[root @ SVR5 ~] # /etc/resolv.conf the chattr -i / etc / the hosts
[SVR5 the root @ ~] # the lsattr /etc/resolv.conf / etc / the hosts
E- /etc/resolv.conf -------------
------------- E- / etc / hosts
Note: When using the passwd lock the user account will add two exclamation points on the / etc / shadow file password field, and usermod locked increased by only a exclamation mark. Therefore, for use passwd locked account, if usermod to unlock, then was lifted twice.
Step Five: Modify the tty login prompt, hide system version
1) backup of the original / etc / issue profile, and then overwrite the contents in accordance with the requirements
[root @ svr5 ~] # cat / etc / issue // confirm the original file
Red Hat Linux Server Release 6.5 Enterprise (Santiago)
Kernel \ r ON AN \ m
[Root @ svr5 ~] # cp / etc / issue /etc/issue.origin // backup file
[root @ svr5 ~] # vim / etc / issue // modify the contents of the file
Windows Server 2012 R2 Enterprise
NT 6.2 Hybrid
2) test version of the camouflage effect
terminal exit tty terminal has logged in, or restart the Linux system, refresh the message will into a custom text, shown in Figure -1.
Figure -1 
2. Using sudo assign administrative rights
issue
in this case requires the use of sudo mechanism for allocating rights management operations, mainly the following tasks:
1) enable logging for sudo mechanism to track sudo to perform operations
2) allows Web site operators by Commissioner tradm sudo controlled httpd, mysqld services running
3) allows the user to ugadm added via sudo mode / delete / modify user account other than root
4) allows the wheel group members in order to command the privileged EXEC / usr / bin / under
steps
to achieve this case the following procedure is required.
Step a: Enable and sudo mechanism for logging to track sudo perform operations
1) to modify / etc / sudoers configuration, add a log disposed
[the root @ SVR5 ~] # the visudo
Defaults logfile = "/ var / log / sudo"
... ...
2) sudo to perform operations to root (by default has all the permissions)
[root @ SVR5 ~] # sudo sudo authorized to view the -l // operation
matching root on this host default entries:
logfile = / var / log / sudo, requiretty, visiblepw! , always_set_home, env_reset, env_keep = "COLORS
the DISPLAY HOSTNAME the HISTSIZE the INPUTRC KDEDIR the LS_COLORS", env_keep + = "USERNAME the MAIL PS1 PS2 the QTDIR
LANG LC_ADDRESS LC_CTYPE”, env_keep+=“LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES”, env_keep+=“LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”,
env_keep+=“LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”,
secure_path=/sbin:/bin:/usr/sbin:/usr/bin
Root user can run on the host following commands:
(ALL) ALL
. 3) to confirm the logging in force
[SVR5 root @ ~] # tail / var / log / the sudo
... ...
On May 16 22:14:49: root: the TTY = pts / 1; PWD = / root ; USER = root; COMMAND = list
step two: allow Web site operators Commissioner tradm control httpd via sudo way, mysqld services running
1) modify / etc / sudoers configuration
execute permissions granted to the relevant script is tradm allow to manage through servivce tool httpd, mysqld service, or directly execute the two scripts.
[SVR5 the root @ ~] # the visudo
... ...
Cmnd_Alias LAMP_CTRL = / sbin / the httpd-Service *, / sbin / mysqld-Service, /etc/init.d/ht
TPD, /etc/init.d/mysqld
tradm localhost, SVR5 = LAMP_CTRL
2) switch to tradm user, and execute permissions to verify sudo
[SVR5 the root @ ~] # SU - tradm
[tradm SVR5 @ ~] $ sudo -l
We have have you Trust The usual Lecture Received from the System The local
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for tradm: // password for the user authentication of tradm
... ...
Users tradm run the following command on the host:
(the root) / sbin / the httpd-Service *, / sbin / mysqld-Service *, /etc/init.d / httpd,
/etc/init.d/mysqld
[tradm @ svr5 ~] $ // start without sudo service mysqld start service failure
touch: Unable to create "/var/log/mysqld.log": insufficient privileges
chown: Changing "/var/log/mysqld.log" of owner: operation not permitted
[failure]
... ...
[tradm SVR5 @ ~] $ sudo mysqld start service to start the service via sudo // success
is starting mysqld: [OK]
step three: sudo allows users to ugadm by way of add / delete / modify user account other than root
1) modify / etc / sudoers configuration
execute permissions to grant users ugadm management-related commands, with the exception program! reverses the sign, on the back. In the implementation of the relevant program, you can use the wildcard *.
[root @ SVR5 ~] # visudo
... ...
Cmnd_Alias UADM_CTRL = / usr / bin / passwd,! / usr / bin / passwd root, / usr / sbin / the User *,
! / usr / sbin / the User * * root
ugadm localhost, = UADM_CTRL SVR5
2) switched ugadm user authentication sudo permissions
can be added by way sudo / delete / modify ordinary users:
[SVR5 the root @ ~] # SU - ugadm
[ugadm SVR5 @ ~] $ sudo -l
... ...
Users ugadm can run on the host the following command:
! (Root) / usr / bin / passwd, / usr / bin / passwd root, / usr / sbin / the User *,
! / Usr / sbin / the User * * root
[ugadm @ svr5 ~] $ sudo useradd newuser01 // can add users
[ugadm @ svr5 ~] $ sudo passwd newuser01 // you can modify the ordinary user's password
to change the user's password newuser01.
New Password:
Re-enter the new password:
passwd: all authentication tokens have been successfully updated.
[ugadm @ svr5 ~] $ sudo usermod -L newuser01 // user can modify the properties
[ugadm @ svr5 ~] $ sudo userdel -r newuser01 // delete a user account
but can not modify the properties of the root user:
[ugadm SVR5 @ ~] $ sudo usermod -L root
Sorry, we have no right ugadm in as root svr5.tarena.com on
the implementation of / usr / sbin / usermod -L root .
[ugadm @ svr5 ~] $ sudo passwd root
Sorry, you have no right ugadm in as root svr5.tarena.comOn
the implementation of / usr / bin / passwd root.
Step four: Allow wheel group members to execute privileges / bin / all command in
this case is used to demonstrate the convenience of sudo and the dangers of improperly set, used with caution in a production environment.
Referring to achieve the following operation:
[SVR5 the root @ ~] # the visudo
... ...
% Wheel localhost, SVR5 = / bin / *
[SVR5 the root @ ~] # Wheel zengye the usermod -a -G
[zengye SVR5 @ ~] -l $ the sudo
... ...
user zengye can run on the host the following command:
(root) / bin / *
[zengye SVR5 @ ~] $ sudo / bin / bash // and sudo -i equivalent, represents the initial login to the
[root @ svr5 zengye] # // directly into the root
note: class Shell procedures do not allow users to perform sudo, otherwise equivalent to open all root privileges.
For example, if the / bin / bash to copy / sbin / serv1ce (name can have a confusing), and then mixed in other normal command in the authorization to the user along tradm, the user tradm execute sudo serv1ce after having a root of identity .
[zengye @ svr5 ~] $ sudo serv1ce // execute disguised Shell program
[sudo] password for zengye: // verify user passwords
[root @ svr5 zengye] # whoami // view the current status
root
3. improve SSH security services
issue
in this case required to improve safety on the Linux host SSH server, complete the following tasks:
1) Configure basic security policy (prohibiting root, is prohibited empty password)
2) for user access using SSH allows only strategy is not explicitly listed refuse to login
3) implement key authentication login (private key password), a password-free login (no private key password)
4) confirm the key verification after normal use, disable password authentication
scheme
using two RHEL6 virtual machine, wherein svr5 as OpenSSH server, or another pc205 svr5 the unit can act as a client of the test, shown in Figure -2.
FIG -2 
step
to achieve this case the following procedure is required.
Step one: Configure basic security policy
1) to adjust the sshd service configuration, service and overloaded
[root @ SVR5 ~] # vim / etc / SSH / sshd_config
... ...
Protocol 2 // remove the SSH protocol V1
PermitRootLogin NO // prohibit root logins
PermitEmptyPasswords no // ban users login password is blank
... ...
[root @ SVR5 ~] # Service sshd reload
reload sshd: [OK]
2) test the basic security policies
try to log in as root SSH, failed:
[root @ SVR5 ~] # SSH [email protected]
[email protected] 'S password:
Permission denied, the try Again Please.
the server on the user's password is set to air kate, SSH login attempts will fail:
[root @ SVR5 ~] # passwd -d kate // clear the user password
clear a user's password kate.
passwd: Successful operation
[root @ SVR5 ~] # SSH [email protected]
[email protected] 'S password:
Permission denied, the try Again Please.
Step two: for SSH access to only allow the use of the policy, the user is not explicitly listed refuse to log on
1) adjusting the sshd service configuration, add AllowUsers policy only allows users to zengye, john, ugadm, which ugadm can only log in from 192.168.4.0/24 network segment.
[SVR5 the root @ ~] # Vim / etc / SSH / the sshd_config
... ...
the AllowUsers zengye John [email protected] / 24
[SVR5 the root @ ~] #-Service reload the sshd
reload sshd: [OK]
2) access control validation SSH , unauthorized users will be denied login.
[root @ PC205 ~] # SSH [email protected] // authorized users are allowed to log
[email protected] 'S password:
[ugadm SVR5 @ ~] $ Exit
[root @ PC205 ~] # SSH [email protected]. 4.5 // unauthorized users are denied login
[email protected] 'S password:
Permission denied, the try Again Please.
Step Three: Implement key to verify the login (private key password), a password-free login (no private key password)
1) Preparation client test environment
on the client pc205 on the create two test users: mike, nono. Mike which will be used to implement SSH login password-protected private key, and nono used to implement SSH login without a password-protected private key (password-free interaction).
[root @ PC205 ~] # useradd Mike
[root @ PC205 ~] # useradd NONO
[root @ PC205 ~] # echo 123456 | passwd --stdin Mike
... ...
[root @ PC205 ~] # echo 123456 | passwd --stdin NONO
... ...
2) mike for the user client, nono were established SSH key pair
to a user mike login client, use ssh-keygen to create the key, set the private key password:
[root @ PC205 ~] # su - mike
[Mike @ PC205 ~] $ SSH-keygen -t rsa
. Generating public / Private Key pair rsa
the Enter the Save to File in Which at The Key (/home/mike/.ssh/id_rsa):
Directory the Created '/home/mike/.ssh'.
The Enter passphrase (empty for NO passphrase): // Set the private key password
Enter same passphrase again: // Enter the private key password again
Your identification has been saved in / home / mike / . .ssh / id_rsa
Your public /home/mike/.ssh/id_rsa.pub Key has been saved in.
of The Key Fingerprint IS:
63 is: 6E: CF2: 45: F0: 56 is: E2: 89: 6F: 62 is: 64 :. 5A: 5E: FD: 68: D2 [email protected]
of The Key Image apos randomart IS:
± - [the RSA 2048] ---- +
| |
| |
... | |
| = = |
| S = B |.
| O = B O |.
| + E + = |.
|. + + O |
| O |
± ---------------- +
[Mike ~ @ PC205] $ ls -lh ~ / .ssh / id_rsa * // confirm key documents
-rw-------. 1 mike mike 1.8K 8月 15 10:35 /home/mike/.ssh/id_rsa
-rw-r–r--. 1 mike mike 403 8月 15 10:35 /home/mike/.ssh/id_rsa.pub
[Mike @ PC205 ~] $ Exit
Zimbabwe Logout
switch to the user nono, create the key pair using ssh-keygen, the private key password is set to null (direct Enter):
[root @ PC205 ~] # su - NONO
[NONO @ PC205 ~] $ -t RSA SSH-keygen
Generating public / RSA Private Key pair.
the Enter to Save File in Which The Key (/home/nono/.ssh/id_rsa):
the Created Directory '/home/nono/.ssh'.
the Enter passphrase (empty for no passphrase): // directly enter the password set to null
Enter same passphrase again: // Enter again to confirm
Your Identification has been saved in /home/nono/.ssh/id_rsa.
Your public Key has been in /home/nono/.ssh/id_rsa.pub saved.
of The Key Fingerprint IS:
43 is: 16: C1: 88:. 5A: 02: EC: d5 of: 37 [: 22 is: 4E: cO: 25: 6F: 84: 63 is [email protected]
of The Key Image apos randomart IS:
± - [the RSA 2048] ---- +
| +++ ... OO O |.
| = E + OO.o ... |
| O = O + |.
|. .o O |
| S |
|. |
| |
| |
| |
± ------ + ----------
[NONO ~ @ PC205] -LH LS $ ~ / .ssh / id_rsa // confirmation key file
-rw -------. 1 nono nono 1.7K 8 /home/nono/.ssh/id_rsa 10:37 May 15
-rw-R & lt-r--. NONO NONO. 1 403. 8 May 15 10:37 /home/nono/.ssh/id_rsa.pub
3) the client user mike, nono deployment of public key to the SSH server
to the client user nono login using ssh-copy-id command to deploy their own public key to the server, the target user on the server as john:
[nono @ PC205 ~] $ SSH- ID-Copy [email protected]
[email protected] 'password S:
Now the try the logging INTO The Machine, with "SSH' [email protected] '", and Check in:
.ssh / the authorized_keys
WE have have not the make the Sure to Extra Keys added that you were not expecting.
[NONO @ PC205 ~] $ Exit
Zimbabwe Logout
Similarly, the user mike login client, use ssh-copy-id command to deploy their own public key the server, the server on the target user is John:
[PC205 the root @ ~] # SU - Mike
[Mike ~ @ PC205] $ SSH-Copy-ID [email protected]
[email protected] 'password S:
Now the try the logging INTO machine at the, with "SSH '[email protected]'", and the Check in:
.ssh / authorized_keys
to the make the Sure WE have have not added Extra Keys that you were not expecting.
4) confirm that the client user mike on the server , nono upload the public key information
the default deployment location for the target user de ~ / .ssh / authorized_keys file:
[root @ SVR5 ~] # tail -2 ~ john / .ssh / authorized_keys
SSH-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzz + 5AiFMGQ7LfuiV7eBnOcmRO9JRTcqRoynGO2y5
+ + Pa7UZ2NyqmUEvNSUo0hQyDGsU9SPyAdzRCCvDgwpOFhaHi LxR1IpEbkNrUyIZDk5uaX1Y8rwsf RyFL / OFnT zqjAqXH2M9fFYEVUU4PIVL8HT19zCQRVZ + / + u3e83RaehBMuy1cVEN5sLAaIrIeyM8Q0WxQNlqknL908HRkTlTeKrRoHbMnOBFj8StwlnscKHlkrsKkhUf8A9WWz q3acQA34UsQUR0PpLJAobsf1BLe2EDM8BsSHckDGsNoDT9vk / vL4GDwGND5jdca3I2hdITAySjMdfL1HMHnMYOgMjPM0Q == [email protected]
SSH-RSA AAAAB3NzaC1yc2EAAAABIwAAAQEAl6PopFT7VoFaQFVVKrH4N7VgDIUUjcIc / the TN / DMA1
EmTAqv9wYnX83Do3 / 14wUD6WkUQ1wkZV64bkHCrgUDsCy2iV7wvH7xiOg4CYGFk1RALn5edKC8fEKiveR8MrUafa6O2iBpuG / vYin2QDyc7PpipyRw4rFg7 / PaD1XuRRwFGcHgiv8PLUjO6GcuS4c3gyKbSADM7mV1gu62wMHm47e5jAxzxNGkYnyYeb7Ut7hwvs5xP54MHy23zSs DjN7oRvKN5xZueaFLbVUcnSvGzN5IZqV7Qu3NqtFGpgCdUr + / + InRtIvITdCWWVQ yaFcZWC7VIrNH2IJJwKNboCMSUoEm == Mike @ PC205 .tarena.com
5) validation testing SSH key pair on the client
Mike client user environment to a remote user login 192.168.4.5 host john, you need to verify the client private key password of the user mike:
[mike @ PC205 ~] $ SSH [email protected] // need to verify that the private key password
Key for a passphrase the Enter '/home/mike/.ssh/id_rsa':
Last Login: Thu-Aug 15, 2013 10:10:37 from 192.168.4.205
[John SVR5 @ ~] $ the whoami
John
and nono in the client user environment to john remote user login 192.168.4.5 hosts without authentication password to login (because the private key password is empty):
[NONO @ PC205 ~] $ SSH [email protected] // Free interact directly login
Last login: Thu 15, 2013 10:48:09 from 192.168.4.205-Aug
[John SVR5 @ ~] $ the whoami
John
step four: after confirming key verification normal use, disable password authentication
1) adjusting sshd service configuration, the set PasswordAuthentication NO
[the root @ ~ SVR5] # vim / etc / SSH / sshd_config
... ...
PasswordAuthentication no // change this line yes no
[root @ svr5 ~] # service sshd reload
reload sshd: [OK]
2) Confirm Password verification is not available, only the deployment of the user's public key can log
[root @ PC205 ~] # su - Mike
[Mike PC205 ~ @] $ SSH [email protected] // password authentication is denied
Permission denied (publickey, gssapi-keyex , gssapi-with-mic).
[Mike @ PC205 ~] $ SSH [email protected] // key to verify a successful login
the Enter passphrase for Key '/home/mike/.ssh/id_rsa':
Last the Login: Thu Aug 15 10:49:13 2013 from 192.168 .4.205