First, the basic safety precautions
1, the system account clean-up
(1) non-logged-in user's shell to / sbin / nologin
- Method One: usermod -s
- Method Two: chsh command, interactively modify
- Method three: chsh -s
(2) the account is not locked long-term use
- Method One: passwd -l (will add two before the ciphertext "!") To unlock the passwd -u view passwd -S
- Method two: usermod -L (will add a ciphertext before the "!") Unlock usermod -U
(3) delete unwanted account
- · Userdel [-r] username
(4) to lock the account file / etc / passwd, / etc / shadow
- Lock: chattr + i / etc / passwd / etc / shadow
- Unlock: chattr -i / etc / passwd / etc / shadow
- View: lsattr / etc / passwd / etc / shadow
2, password security control
method: Set password expiration
- Modify an existing user's password is valid:
- Days chage -M username
- passwd -x username days
- Set the default password expiration time to add users in the future:
- Methods: vi editor /etc/login.defs file, modify the value behind the "PASS_MAX_DAY"
- Require the user to change the password the next time you log
- Methods: chage -d 0 username
3, command history limitation
(1) reduce the number of history commands
- Method a: vi edit / etc / profile file, modify "HISTSIZE =" after the value
- Method two: export HISTSIZE = value
(2) automatically empty the history of command when you log off
- Methods: vi editor ".bash_logout" file, add the "history -c" in the home directory
4, the terminal automatically logout
- Method a: vi edit / etc / profile file, add "TMOUT = value"
- Method two: export TMOUT = value
5, the sudo command to elevate privileges
(1) sudo command
- Role: command (as root by default) to perform authorization as a different user
- Usage: sudo authorization command, the default is set to perform for the first time, the need to enter the current user's login password, you do not need to enter a password when performing sudo command again within five minutes.
- Configuring sudo authorization:
- Method a: a single authorized user to add sudo
- visudo or vi / etc / sudoers (the same effect), arranged to add the contents of
- Format: "!" User list of host names = command program list, Command Adding that "in addition to" command
- Method Two: Volume Licensing
- wheel group
- Aliases
- According to an example and the actual demand, set the alias
- After setting an alias, add formatting: User alias host alias = command aliases (aliases are all uppercase)
- Method a: a single authorized user to add sudo
(2) See the recording operation sudo
-
- method:
- Step: visudo or vi / etc / sudoers add "Defaults logfile = / var / log / sudo"
- Step Two: cat / var / log / sudo
- Example: Enable Defaults logfile configuration command to all users amber / sbin / and / usr / sbin execute permissions, in addition to shutdown and restart.
- [root@www ~]# visudo
- method:
(3) authorize the query operation sudo -l
6, PAM safety certification
1, a pluggable authentication module PAM (Pluggable Authentication Modules)
(1) PAM Introduction
PAM is an efficient and flexible and convenient user-level authentication, it is also the current authentication methods commonly used Linux servers.
PAM provides a central mechanism for authentication for all services for login, remote login (telent, rlogin, fsh, ftp), su-peer applications.
Certified System Administrator to develop different strategies for different applications by PAM configuration file.
(2) PAM authentication principle
PAM Authentication generally follows the order of: Service (Service) → PAM → pam _ * so.
PAM authentication must first determine which of the service, and then load the appropriate PAM configuration file (located in /etc/pam.d), the last call authentication file (32-bit system located in / lib / security, 64-bit system located in / lib64 / under security) safety certification.
Users access the server when a server is a server process sends the user's request to the PAM module for authentication. Corresponding to different applications PAM modules are different.
If you want to see whether the program is to support PAM authentication, you can be viewed using the ls command,
Such as viewing su PAM module supports authentication: ls /etc/pam.d|grep su
3, PAM authentication configuration
Each row is a separate certification process
Each row can be divided into three fields: an authentication type, control type, the PAM module and its parameters
4, the four common types of certification
Meaning the authentication type role
auth authentication management to accept the user name and password, and then authenticate the user's password
Account Management Account check whether the account is allowed to log into the system, whether the account has expired, login account Is there a limit time period and other rights
password password management is used to modify the user's password
session session management is to provide session management and accounting
5, five common types of control
(1) required to verify continued failure, but returns Fail
(2) requisite verification fails an immediate end to the entire verification process, return to Fail
(3) sufficient authentication succeeds immediately returned, no longer continue, otherwise ignore the result and continue
(4) optional verification is not used, only the display information (the type commonly used for session)
(5) include without certification, to the rear authentication module PAM
6, using the PAM authentication module, restrict the use of a command or authority services
(1) vi /etc/pam.d/ edit the command corresponding to the configuration file, module enable pam_wheel
(2) adding an authorized user to the wheel group
7, safety control switch
1, set a password for BOIS
2, disable reboot hotkey Ctrl + Alt + Del
-
- Method a: systemctl mask ctrl-alt-del. target
- systemctl daemon-reload
3, grub menu restrictions
-
- Methods: grub2-mkpasswd-pbkdf2
- cp /boot/grub2/grub.cfg
- cp /etc/grub.d/00—header
- we /etc/grub.d/00-header
- On the final add
- set superusers=“root”
- password-root cipher text
- -o-Grub2 mkconfig /boot/grub2/grub.cfg
4, disable the root login terminal
-
- Methods: vi / etc / securetty
5. Prohibit ordinary users login
-
- The method of touch / etc / nologin
6, detection of weak password (to be installed)
-
- 。/john shadow
7, port detection
-
- Methods: namp [Scan Type] [options] target