System Security and Application Security and Application

 System Security and Application

 

First, the basic safety precautions
1, the system account clean-up
(1) non-logged-in user's shell to / sbin / nologin

• Method One: usermod -s
• Method Two: chsh command, interactively modify
• Method three: chsh -s

(2) the account is not locked long-term use

• Method One: passwd -l (will add two before the ciphertext "!") To unlock the passwd -u view passwd -S
• Method two: usermod -L (will add a ciphertext before the "!") Unlock usermod -U

(3) delete unwanted account

• · Userdel [-r] username 

(4) to lock the account file / etc / passwd, / etc / shadow

• Lock: chattr + i / etc / passwd / etc / shadow
• Unlock: chattr -i / etc / passwd / etc / shadow
• View: lsattr / etc / passwd / etc / shadow

2, password security control
　　method: Set password expiration

• Modify an existing user's password is valid:
  • Days chage -M username
  • passwd -x username days
• Set the default password expiration time to add users in the future:
  • Methods: vi editor /etc/login.defs file, modify the value behind the "PASS_MAX_DAY"
• Require the user to change the password the next time you log
  • Methods: chage -d 0 username

3, command history limitation
(1) reduce the number of history commands

• Method a: vi edit / etc / profile file, modify "HISTSIZE =" after the value
• Method two: export HISTSIZE = value

(2) automatically empty the history of command when you log off

• Methods: vi editor ".bash_logout" file, add the "history -c" in the home directory

4, the terminal automatically logout

• Method a: vi edit / etc / profile file, add "TMOUT = value"
• Method two: export TMOUT = value

5, the sudo command to elevate privileges

(1) drawback su command:

　　When using the su command, do not specify a default user name switch to the root user, you need to enter the root password, but actual production is the root password can not be widely told.

　　If you need to execute the command root user privileges only need to be achieved by setting the sudo command or wheel group.

(2) sudo command

• Role: command (as root by default) to perform authorization as a different user
• usage:

　　　　　　sudo command authorization

　　　　　　The default setting is the first execution, the need to enter the current user's login password, do not have to enter a password when the sudo command again within five minutes.

• Configuring sudo authorization:
  • Method a: a single authorized user to add sudo
    • visudo or vi / etc / sudoers (the same effect), arranged to add the contents of
    • Format: "!" User list of host names = command program list, Command Adding that "in addition to" command
  • Method Two: Volume Licensing
    • wheel group
    • Aliases
    • According to an example and the actual demand, set the alias
    • After setting an alias, add formatting: User alias host alias = command aliases (aliases are all uppercase)

　(3) View sudo operating record　　　　

• • method:
    • Step: visudo or vi / etc / sudoers add "Defaults logfile = / var / log / sudo"
    • Step Two: cat / var / log / sudo
      • Example: Enable Defaults logfile configuration command to all users amber / sbin / and / usr / sbin execute permissions, in addition to shutdown and restart.
      • [root@www ~]# visudo

　(4) Query authorized to operate sudo -l

6, PAM safety certification

　　1, security risks su command

　　　　By default, any user is allowed to use the su command, so that other users have the opportunity to try again and again (as root) login password, a security risk.

　　　　To enhance su using the control command, you can make use of PAM authentication modules, only very few users su command switch.

　　2, pluggable authentication module PAM (Pluggable Authentication Modules)

　　(1) PAM Introduction

　　　　PAM is an efficient and flexible and convenient user-level authentication, it is also the current authentication methods commonly used Linux servers.

　　　　PAM provides a central mechanism for authentication for all services for login, remote login (telent, rlogin, fsh, ftp), su-peer applications.

　　　　Certified System Administrator to develop different strategies for different applications by PAM configuration file.

　　(2) PAM authentication principle

　　　　　PAM Authentication generally follows the order of: Service (Service) → PAM → pam _ * so.

　　　　　PAM authentication must first determine which of the service, and then load the appropriate PAM configuration file (located in /etc/pam.d), the last call authentication file (32-bit system located in / lib / security, 64-bit system located in / lib64 / under security) safety certification.

　　　　　Users access the server when a server is a server process sends the user's request to the PAM module for authentication. Corresponding to different applications PAM modules are different.

　　　　　If you want to see whether the program is to support PAM authentication, you can be viewed using the ls command,

　　　　　Such as viewing su PAM module supports authentication: ls /etc/pam.d|grep su

　　3, PAM authentication configuration

　　　　Each row is a separate certification process

　　　   Each row can be divided into three fields: an authentication type, control type, the PAM module and its parameters

　　4, the four common types of certification　　　　

　　　　　　Meaning the authentication type role

 　　　　　　auth authentication management to accept the user name and password, and then authenticate the user's password

　　　　　　Account Management Account check whether the account is allowed to log into the system, whether the account has expired, login account Is there a limit time period and other rights

　　　　　　password password management is used to modify the user's password

　　　　　　session session management is to provide session management and accounting

　　5, five common types of control

　　(1) required to verify continued failure, but returns Fail

　　(2) requisite verification fails an immediate end to the entire verification process, return to Fail

　　(3) sufficient authentication succeeds immediately returned, no longer continue, otherwise ignore the result and continue

　　(4) optional verification is not used, only the display information (the type commonly used for session)

　　(5) include without certification, to the rear authentication module PAM

　　6, using the PAM authentication module, restrict the use of a command or authority services

　　(1) vi /etc/pam.d/ edit the command corresponding to the configuration file, module enable pam_wheel

　　(2) adding an authorized user to the wheel group　　

First, the basic safety precautions
1, the system account clean-up
(1) non-logged-in user's shell to / sbin / nologin

• Method One: usermod -s
• Method Two: chsh command, interactively modify
• Method three: chsh -s

(2) the account is not locked long-term use

• Method One: passwd -l (will add two before the ciphertext "!") To unlock the passwd -u view passwd -S
• Method two: usermod -L (will add a ciphertext before the "!") Unlock usermod -U

(3) delete unwanted account

• · Userdel [-r] username 

(4) to lock the account file / etc / passwd, / etc / shadow

• Lock: chattr + i / etc / passwd / etc / shadow
• Unlock: chattr -i / etc / passwd / etc / shadow
• View: lsattr / etc / passwd / etc / shadow

2, password security control
　　method: Set password expiration

• Modify an existing user's password is valid:
  • Days chage -M username
  • passwd -x username days
• Set the default password expiration time to add users in the future:
  • Methods: vi editor /etc/login.defs file, modify the value behind the "PASS_MAX_DAY"
• Require the user to change the password the next time you log
  • Methods: chage -d 0 username

3, command history limitation
(1) reduce the number of history commands

• Method a: vi edit / etc / profile file, modify "HISTSIZE =" after the value
• Method two: export HISTSIZE = value

(2) automatically empty the history of command when you log off

• Methods: vi editor ".bash_logout" file, add the "history -c" in the home directory

4, the terminal automatically logout

• Method a: vi edit / etc / profile file, add "TMOUT = value"
• Method two: export TMOUT = value

5, the sudo command to elevate privileges

(1) drawback su command:

　　When using the su command, do not specify a default user name switch to the root user, you need to enter the root password, but actual production is the root password can not be widely told.

　　If you need to execute the command root user privileges only need to be achieved by setting the sudo command or wheel group.

(2) sudo command

• Role: command (as root by default) to perform authorization as a different user
• usage:

　　　　　　sudo command authorization

　　　　　　The default setting is the first execution, the need to enter the current user's login password, do not have to enter a password when the sudo command again within five minutes.

• Configuring sudo authorization:
  • Method a: a single authorized user to add sudo
    • visudo or vi / etc / sudoers (the same effect), arranged to add the contents of
    • Format: "!" User list of host names = command program list, Command Adding that "in addition to" command
  • Method Two: Volume Licensing
    • wheel group
    • Aliases
    • According to an example and the actual demand, set the alias
    • After setting an alias, add formatting: User alias host alias = command aliases (aliases are all uppercase)

　(3) View sudo operating record　　　　

• • method:
    • Step: visudo or vi / etc / sudoers add "Defaults logfile = / var / log / sudo"
    • Step Two: cat / var / log / sudo
      • Example: Enable Defaults logfile configuration command to all users amber / sbin / and / usr / sbin execute permissions, in addition to shutdown and restart.
      • [root@www ~]# visudo

　(4) Query authorized to operate sudo -l

6, PAM safety certification

　　1, security risks su command

　　　　By default, any user is allowed to use the su command, so that other users have the opportunity to try again and again (as root) login password, a security risk.

　　　　To enhance su using the control command, you can make use of PAM authentication modules, only very few users su command switch.

　　2, pluggable authentication module PAM (Pluggable Authentication Modules)

　　(1) PAM Introduction

　　　　PAM is an efficient and flexible and convenient user-level authentication, it is also the current authentication methods commonly used Linux servers.

　　　　PAM provides a central mechanism for authentication for all services for login, remote login (telent, rlogin, fsh, ftp), su-peer applications.

　　　　Certified System Administrator to develop different strategies for different applications by PAM configuration file.

　　(2) PAM authentication principle

　　　　　PAM Authentication generally follows the order of: Service (Service) → PAM → pam _ * so.

　　　　　PAM authentication must first determine which of the service, and then load the appropriate PAM configuration file (located in /etc/pam.d), the last call authentication file (32-bit system located in / lib / security, 64-bit system located in / lib64 / under security) safety certification.

　　　　　Users access the server when a server is a server process sends the user's request to the PAM module for authentication. Corresponding to different applications PAM modules are different.

　　　　　If you want to see whether the program is to support PAM authentication, you can be viewed using the ls command,

　　　　　Such as viewing su PAM module supports authentication: ls /etc/pam.d|grep su

　　3, PAM authentication configuration

　　　　Each row is a separate certification process

　　　   Each row can be divided into three fields: an authentication type, control type, the PAM module and its parameters

　　4, the four common types of certification　　　　

　　　　　　Meaning the authentication type role

 　　　　　　auth authentication management to accept the user name and password, and then authenticate the user's password

　　　　　　Account Management Account check whether the account is allowed to log into the system, whether the account has expired, login account Is there a limit time period and other rights

　　　　　　password password management is used to modify the user's password

　　　　　　session session management is to provide session management and accounting

　　5, five common types of control

　　(1) required to verify continued failure, but returns Fail

　　(2) requisite verification fails an immediate end to the entire verification process, return to Fail

　　(3) sufficient authentication succeeds immediately returned, no longer continue, otherwise ignore the result and continue

　　(4) optional verification is not used, only the display information (the type commonly used for session)

　　(5) include without certification, to the rear authentication module PAM

　　6, using the PAM authentication module, restrict the use of a command or authority services

　　(1) vi /etc/pam.d/ edit the command corresponding to the configuration file, module enable pam_wheel

　　(2) adding an authorized user to the wheel group