The articles in this blog will be about Liunx system (all experiments based on Centos 7) knowledge of the various aspects of security were to actually set forth by the seven experiments.
table of Contents:
- Account file control (lock)
- Control History
- Account password aging management
- Account security handover
- SUDO command mention the right
- GRUB menu management
- NMAP scans
First, the account documentation control (lock)
Account file for the user account control actually lock and unlock (password) file, once the file locked account and password, the server will not be able to create a new user.
Implementation steps:
1, the account file to view the state before locking, enter:
[root@localhost ~]# lsattr /etc/passwd /etc/shadow
2, the account will be locked files and view the status of the lock, enter:
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow
[root@localhost ~]# lsattr /etc/passwd /etc/shadow
3, using the add user command (useradd), will find it impossible to add users.
[root@localhost ~]# useradd tasetplayer
Second, the control history
In Linux, complete preservation of historical records will command input before, it is very dangerous, once operational will be able to get into the history of executed before inferred by history. So we have to limit the capacity of the history table.
Implementation steps:
1, modify the configuration file - for the entire system:
[root@localhost ~]# vim /etc/profile
2, find the "HISTSIZE" the latter figure to be modified in the configuration file
(The default is 1000, which can store up to 1000 History)
3, although this time finished modifying the configuration file, but does not actually perform, you need to reboot or enter:
[root@localhost ~]# source /etc/profileJust re-run the modified configuration file, the configuration file to take effect.
1, modify the configuration file - for a user
[root@localhost ~]# vim /home/zhy/.bash_logoutWherein, "/ home / zhy" representing the user's home directory
2, in the user's profile manually add:
history -c
clear
Third, the account password aging management
experiment one:
Set password expiration
to change the password requirement when the user next logs
[root @ localhost ~] # vim /etc/login.defs
......
PASS_MAX_DAYS 30 (applicable to new users, valid for the original user will not change)
[Root @ localhost ~] # vim / etc / shadow (article command to modify an existing user's validity)
除了上面的两条命令能够控制用户有效期的长短:
[root@localhost ~]# chage -d 0 wangwu(强制在下次登录时更改密码)
强烈建议不要使用这条命令!!!!因为你的新密码基本不会设置成功(即使满足密码复杂性的要求),会有各种各样的问题出现!!
例如:这样的
这样的
还有这样的
四、账户安全切换
通常情况下,哪怕是普通用户也可以使用“su”命令在多个账户间进行切换,从而有机会反复尝试其他用户(如root)的登录密码,带来非常大的安全风险。
为了加强su命令的使用控制,可借助pam_wheel认证模块,只允许个别用户使用su命令(在wheel组中的用户)进行切换。
实现过程:
1、将想要授权的用户移入wheel,输入命令:
[root@localhost ~]# gpasswd -a zhaosi wheel
[root@localhost ~]# cat /etc/group | grep wheel
2、修改/etc/pam.d/su认证配置,用来启用pam_wheel认证
[root@localhost ~]# vim /etc/pam.d/su
......
auth sufficient pam_rootok.so
......
#auth required pam_wheel.so use_uid(将该行前面的#去掉以启用认证模块)
......3、配置完成后,我们只是将“zhaosi”加入wheel组中,所以其它用户将无法使用su命令进行用户之间的切换
[wangwu@localhost ~]$ su - root
密码:
su: 拒绝权限
[wangwu@localhost ~]$ (切换失败,仍为原来用户)五、sudo命令提权
在Liunx中,说到既可以让普通用户拥有一部分的管理权限,又可以不知道root密码的命令。那说的一定就是sudo命令了!!只要管理员提前进行授权,就可以让指定的普通用户拥有一部分管理权限。
1、在配置文件/etc/sudoers中添加授权(也可以直接使用visudo工具直接进行授权)
[root@localhost ~]# visudo
......
wangwu localhost=/usr/sbin/ifconfig(为wangwu提供ifconfig命令的授权)
:wq
2、通过sudo执行特权命令
对于已授权的用户,通过sudo执行时,只要在正常的命令之前加上sudo即可。
[wangwu@localhost ~]$ /sbin/ifconfig ens33 192.168.1.11/24(未用sudo的情况)
SIOCSIFADDR: 不允许的操作
SIOCSIFFLAGS: 不允许的操作
SIOCSIFNETMASK: 不允许的操作
[wangwu@localhost ~]$ sudo /sbin/ifconfig ens33 192.168.1.11/24(使用sudo的情况)
......
[sudo] wangwu 的密码:
[wangwu@localhost ~]$ ifconfig (验证执行结果)
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.11 netmask 255.255.255.0 broadcast 192.168.1.255
六、grub菜单管理
GRUB menu as a prerequisite to start the process, once destroyed will lead to not enter the system. Normally, a big problem grrub menu does not appear. But before the blog has been introduced in to repair the system by modifying the grub boot into single user mode parameters of the problem, this approach can bypass the power-on password into the system, and have root privileges.
The method is good, but from a security point of view, anyone can obtain root privileges by modifying the grub parameter itself is a great threat to the server's. So in order to prevent this from happening, we can set up a separate password for GRUB menu.
1, respectively grub menu file and its header files for backup, in case the experiment failed cause can not boot
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
2, is provided to generate the required password hash grub menu (the Hash) value
[root@localhost ~]# grub2-mkpasswd-pbkdf2 3, set the grub menu header
[root@localhost ~]# vim /etc/grub.d/00_header
Specific modification steps:
G is pressed to the end of the head positioning document, and the next line o Input
Input "cat << EOF"
enter "set superusers =" root ""
The last line of input "the hash value calculated before the root passwd_pbkdf2"
: WQ (save drop out)
4, re-create the grub configuration
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
This completes the GRUB menu password is set, the next time you want to enter the GRUB settings you must enter a password to enter.
Seven, NMAP scans - scanning port
NMAP scans grammar
Format: nmap [Scan Type] [Option] <... scan target>
common scan types:
-As: the SYN scanning the TCP
-sT: TCP connected to the scan
-sF: TCP FIN scan
-sU: UDP scanning
-sP: Detection of ping
-P0 : skip detection ping
Experimental Procedure:
1, the installation tool NMAP scans
[root@localhost ~]# yum install nmap -y
2. Check your phone is turned on outside of the tool by specific port service
TCP port open service
[root@localhost ~]# nmap -sT 127.0.0.1
Open UDP port services
[root@localhost ~]# nmap -sU 127.0.0.1
