As Caozuoxitong an open source, Linux servers for its safety, efficiency and stability of the significant advantages and is widely used. With the attendant is - security of Linux systems .
This blog is mainly about the security issues Linux systems:
a, account security control;
Second, the system boot and logon control;
Third, weak password detection, port scan.
First, account security control
User account is a computer user's credentials or identification, everyone to access system resources, you must enter a computer with its user account to. In the Linux system, it provides a variety of mechanisms to ensure that the user account legitimate and safe use.
1. Basic (necessary) safety measures
(1) clean up the system account
In the Linux system, in addition to the various account users manually created, further comprising an account with a number of other systems or system generated during installation. In addition to the super user root, a number of other accounts is only used to maintain the system running the service process, the general situation is not allowed to log into the system, it is also known as non-login user account .
Common non-logged-in user account login shell is usually / sbin / nologin, indicating the prohibition terminal login, it should ensure that no changes be considered, such as:
[root@localhost ~]# grep "/sbin/nologin" /etc/passwd
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
……………… //省略部分内容Various non-logged-in user account, there is a considerable number of rarely used, such as games. These user accounts are called redundant accounts (to delete). In addition, there are some applications that are installed with the user account, if not automatically deleted after uninstalling the application, administrators need to manually delete it.
For long-term Linux servers without user accounts, if unable to determine whether to delete, you can temporarily lock it. such as:
[root@localhost ~]# usermod -L q1 //锁定账号
[root@localhost ~]# passwd -S q1 //查看账号状态
q1 LK 2019-08-27 0 99999 7 -1 (密码已被锁定。)
[root@localhost ~]# usermod -U q1 //解锁账号
[root@localhost ~]# passwd -S q1
q1 PS 2019-08-27 0 99999 7 -1 (密码已设置,使用 SHA512 算法。)If the server's user account has been fixed, no longer be modified locking method can also take account profile, to further protect the safety of the account. such as:
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow //锁定文件
[root@localhost ~]# lsattr /etc/passwd /etc/shadow //查看为锁定的状态
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow //解锁文件
[root@localhost ~]# lsattr /etc/passwd /etc/shadow //查看为解锁的状态
---------------- /etc/passwd
---------------- /etc/shadowIn the case of the account file is locked, its contents will not be modified. And therefore can not add, delete accounts, can not change a user's password, login shell, home directory and other attribute information.
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow
[root@localhost ~]# lsattr /etc/passwd /etc/shadow
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# useradd a1
useradd:无法打开 /etc/passwd(2) password security control
In an insecure network environment in order to reduce the risk of passwords to guess or brute force, the user should develop the habit of regularly modifying passwords, avoid long-term use of the same password. The administrator can restrict the user's password on the server side of the maximum number of days for the user password has expired, the login password is required again, or they will refuse to log on.
The following operations can be password is valid to 30 days:
[root@localhost ~]# vim /etc/login.defs //适用于修改完文件新建的用户
……………… //省略部分内容
PASS_MAX_DAYS 30 //默认存在,修改即可
[root@localhost ~]# chage -M 30 q1 //适用于已经存在的q1用户In some special cases, such as requiring the user to create a batch you must first set up a password logon. such as:
[root@localhost ~]# chage -d 0 q1 //新建的用户、已存在的用户都适用
Localhost login:q1
password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
更改用户 q1 的密码 。
为 q1 更改 STRESS 密码。
(当前)UNIX 密码:(3) command history, automatic logout
Shell command history mechanism for the user environment provides a great convenience, but it also poses a potential risk to the user, as long as a user's command history file, the user's command operation will glance, if ever in the command line input plaintext password, the server will bring huge risks.
Bash terminal environment, command history record entry is controlled by a variable HISTSIZE, the default is 1000, by modifying its profile, it can affect all users in the system. such as:
[root@localhost ~]# vim /etc/profile //适用于新登录的用户
………… //省略部分内容,添加以下内容
HISTSIZE=200
[root@localhost ~]# export HISTSIZE=200
//适用于当前用户,export的作用:将一个变量设置为全局变量In addition, you can modify ~ / .bash_logout file in the user's home directory, add a case history of the operation command statement:
[root@localhost ~]# vim ~/.bash_logout //打开配置文件,添加以下内容
history -c //清空历史命令
clear //清屏Thus, when the user exits logged Bash environment, command history recorded automatically cleared.
Bash terminal environment, you can also set an idle timeout, when more than a specified time no see any input terminal automatically logged out, so you can not avoid when an administrator or other persons risk of misuse servers, idle timeout by the variable TMOUT controls, default seconds (s).
[root@localhost ~]# vim /etc/profile //适用于新登录的用户
………… //省略部分内容,添加以下内容
export TMOUT=600
[root@localhost ~]# export TMOUT=600 //适用于当前用户Note: When the program is executing code is compiled, and the like to modify the system configuration during lengthy operation, should avoid setting variable TMOUT. You can use "unset TMOUT" command to cancel TMOUT variable settings if necessary.
2. switch the user privilege escalation
Most Linux servers do not recommend users to log in as the root user directly, on the one hand can greatly reduce the damage caused by mistake; it also reduces the risk of privileged passwords in an insecure network is compromised. For these reasons, it is necessary to provide a common user identity or authority to enhance the mechanisms to perform administrative tasks when necessary.
Linux system provides us with su, sudo two kinds of commands, which is mainly used the su command to switch users, while the sudo command to elevate privileges to perform.
(1) su command - switching users
Su command, the user can switch to another specified to have all the permissions of that user. Of course, we need to be validated (except for the switching from the root user when another user) to switch the target user's password. E.g:
[root@localhost ~]# su - xiaoli
[xiaoli@localhost ~]$ su - root
密码: //输入用户root密码
[root@localhost ~]# //验证成后获得root权限The above command, option "-" is equivalent to "--login" or "-l", represents the switch user enters the target user's login shell environment, if not add '-' option, then switch only identity, do not switch users surroundings. For the case where switching to the root user, "root" may be omitted.
By default, any user is allowed to use the su command. Thus have the opportunity to try again another user (such as root) login password. This is a big security risk, in order to strengthen control using the su command, by means of pam_wheel authentication module, allowing only very few users can use the su command to switch. Implementation process:
[root@localhost ~]# gpasswd -a xiaoli wheel
//正在将用户“xiaoli”加入到“wheel”组中
[root@localhost ~]# grep "wheel" /etc/group
wheel:x:10:xiaoli
[root@localhost ~]# vim /etc/pam.d/su
auth sufficient pam_rootok.so //默认存在
………… //省略部分内容
auth required pam_wheel.so use_uid //默认存在,去掉“#”号即可!
………… //省略部分内容After pam_wheel authentication is enabled, other users in the wheel group can use the su command will not join, try switching will be prompted to "Permission Denied", which will switch the user's authority to control to a minimum.
[xiaozhang@localhost ~]$ su - root
密码: //不论密码正确与否,都将提示拒绝权限
su: 拒绝权限Any user operation (add, delete, switching) operation and the like are recorded in / var / log / secure document to view it as necessary.
(2) sudo command - to enhance execute permissions
Can be very easily through the su command to switch to another user, but the prerequisite is to know the target user's login password (except for the root user to switch from other users), switching from any user to the root user must know the root user password. For a production environment Linux server, root user's password, people know, the better, otherwise there is a huge risk.
There is a way, not only allows ordinary users with administrative rights part, but also do not need to know the root user's password is to use --sudo command.
Use the sudo command can enhance both execute permissions. However, the need to perform pre-authorized by the administrator to specify which users with superuser (or other user) to which the identity of command execution.
1) add authorization in the configuration file / etc / sudoers in
sudo mechanism configuration file is / etc / sudoers, the default file permissions is 400, use special visudo tool to write, although you can edit by "vim", but must be performed when saving ":! w" command to force the operation, otherwise, the system will be prompted to save a read-only file refused.
Configuration file / etc / sudoers, the authorization record basic configuration format:
用户 主机名列表=命令程序列表Authorization configuration includes users, hosts, command of three parts, namely who authorized what commands executed on which host. The specific meaning of each part:
User: direct authorization specified user name, or the use of "% group name" approach (a group of all authorized users);
host: Host Name Use this profile. This part is easy to share a sudoers files between multiple hosts, usually set to localhost or the actual host name can;
command: allows authorized users to develop a privileged way through sudo command, you need to fill in the full path to the command program, a plurality of command execution comma "," separated;
Typical sudo configuration record, each row corresponds to a user or group sudo authorization configuration. such as:
[root@localhost ~]# visudo
……………… //省略部分内容
xiaozhang localhost=/sbin/ifconfig //允许用户xiaozhang在本机使用ifconfig命令
%wheel ALL=NOPASSWD:ALL //允许wheel组中的成员在任意主机上不需要使用密码即可执行任意命令When there are many more users use the same authorization, the authorization commands or aliases centrally defined may be employed. User, host command section can be defined as an alias (must be uppercase) are to be set by keyword User_Alias, Host_Alias, Cmnd_Alias. such as:
[root@localhost ~]# visudo
……………… //省略部分内容
User_Alias OPERATORS=user1,user2,user3 //定义用户名列表
Host_Alias MAILSVRS=smtp,pop //定义主机列表
Cmnd_Alias PKGTOOLS=/bin/rpm,/usr/bin/yum //定义命令列表
OPERATORS MAILSVRS=PKGTOOLS //使定义的列表全部关联起来sudo command to configure the recording section allows wildcard "*", negation symbol "!", when the need to authorize all the commands in a directory or canceled which is particularly useful when individual commands. such as:
[root@localhost ~]# visudo
……………… //省略部分内容
xiaowang localhost=/bin/*,!/bin/passwd root
//允许xiaowang用户在本机使用/bin路径下的所有命令,但是不允许给root用户修改密码Under normal circumstances, the operations performed by sudo approach does not record, to enable logging to prepare sudo view, you should do the following:
[root@localhost ~]# visudo
……………… //省略部分内容
Defaults logfile="/var/log/sudo"2) execute privileged commands via sudo
For users already authorized, by executing the command sudo privileged way, just add "sudo" before the command can be normal!
[xiaosun@localhost ~]$ sudo ifconfig ens33 192.168.1.1/24
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for xiaosun:
xiaosun 不在 sudoers 文件中。此事将被报告。
//因为xiaosun没获得特权命令的授权
[xiaozhang@localhost ~]$ ifconfig ens33 192.168.1.1/24
SIOCSIFADDR: 不允许的操作
SIOCSIFFLAGS: 不允许的操作
SIOCSIFNETMASK: 不允许的操作
[xiaozhang@localhost ~]$ sudo ifconfig ens33 192.168.1.1/24
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for xiaozhang:
//执行命令时需要输入自己的密码进行验证(如果不希望输入密码应在命令前添加“NOPASSWD”)
//xiaozhang 可以使用特权命令(已经获得授权)In the current session, the first time through the sudo command execution, the user must know the password itself (not the root password) for authentication, when this before using the sudo command, just before the interval with a sudo operation is not more than 5 minutes , the verification need not be repeated.
To see which users themselves get privileged commands, environment variables, you can perform "sudo -l" command.
[xiaozhang@localhost ~]$ sudo -l
[sudo] password for xiaozhang:
匹配此主机上 xiaozhang 的默认条目:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin,
logfile=/var/log/sudo
用户 xiaozhang 可以在该主机上运行以下命令:
(root) /sbin/ifconfig
//查看已经授权的用户
[root@localhost ~]# su - xiaosun
上一次登录:二 8月 27 21:41:40 CST 2019pts/0 上
[xiaosun@localhost ~]$ sudo -l
[sudo] password for xiaosun:
对不起,用户 xiaosun 不能在 localhost 上运行 sudo。
//查看为授权的用户If sudo logging is enabled, the user can view a history of sudo.
[root@localhost ~]# tail /var/log/sudo
Aug 27 21:41:07 : xiaoli : TTY=pts/0 ; PWD=/home/xiaoli ; USER=root ;
COMMAND=/sbin/ifconfig ens33 192.168.1.1/24
Aug 27 21:42:53 : xiaozhang : TTY=pts/0 ; PWD=/home/xiaozhang ; USER=root ;
COMMAND=/sbin/ifconfig ens33 192.168.1.1/24