Shulou(Shulou.com)06/02 Report--

Blog catalogue

I. account security control

II. Basic safety measures

III. User switching and rights raising

IV. Safety control of switch

Terminal and login control

I. account security control

The user account is the identity certificate or identity of the computer user. Everyone who wants to access the system resources must rely on his user account to enter the computer. A variety of mechanisms are provided in the Linux operating system to ensure the proper and safe use of user accounts.

Basic security measures 1. System account

Among all kinds of non-login user accounts, quite a few are rarely used, such as "games". These user accounts can be regarded as redundant accounts and can be deleted directly, including some program accounts. If the account cannot be deleted after uninstalling the program, we need to delete it manually.

For user accounts that have not been used for a long time in the Linux server, if you are not sure whether they should be deleted or not, you can lock them temporarily. Examples are as follows:

1) usermod command to lock the account: [root@centos01 ~] # usermod-L zhangsan [root@centos01 ~] # passwd-S zhangsan zhangsan LK 2019-11-22 99999 7-1 (password has been locked.) [root@centos01 ~] # usermod-U zhangsan [root@centos01 ~] # passwd-S zhangsan zhangsan PS 2019-11-22 0 99999 7-1 (password has been set, use SHA512 algorithm.) 2) passwd command to lock the account: [root@centos01 ~] # passwd-l zhangsan locks the password of user zhangsan. Passwd: operation succeeded [root@centos01 ~] # passwd-S zhangsan zhangsan LK 2019-11-22 0 99999 7-1 (password is locked.) [root@centos01 ~] # usermod-U zhangsan [root@centos01 ~] # passwd-S zhangsan zhangsan PS 2019-11-22 0 99999 7-1 (password has been set, use SHA512 algorithm.) 2. Lock the account profile

If the user account in the server is fixed and no longer changes, you can also take the method of locking the account profile. Use the chattr command, combined with the "+ I"- I" option to lock and unlock the file, and use the lsattr command to view the file locking. Examples are as follows:

[root@centos01 ~] # chattr + I / etc/passwd / etc/shadow [root@centos01 ~] # lsattr / etc/passwd / etc/shadow- I-/ etc/passwd----i- / etc/shadow [root@centos01 ~] # chattr-I / etc/passwd / etc/shadow [root@centos01 ~] # lsattr / etc/passwd / etc/shadow- -/ etc/passwd- / etc/shadow

When the account file is locked, its content will not be allowed to change, so it is impossible to add or delete accounts, nor can it change the user's password, login Shell, host directory and other attribute information.

3. Password installation control

In order to reduce the risk of the password being cracked or guessed by a third party, you can set the password validity period to limit the maximum number of days of password validity. For users whose password has expired, the password must be reset when logging in, otherwise the login will be refused.

[root@centos01] # vim / etc/login.defs.... PASS_MAX_DAYS 10 [root@centos01 ~] # chage-d 5 zhangsan [root@centos01 ~] # cat / etc/shadow zhangsan:$6$ cigVri.K$wME7C78i0uvZpCSBzpYdoKcuxX.QkiLw7/3bsEZz5/IZWm9jZtT6ExSzmiwa0eFqjGQuuSza8CX7TeITQQNYJ/:5:0:99999:7::: [root@centos01 ~] # chage-d 0 zhangsan changes the password of user zhangsan. Change the STRESS password for zhangsan. UNIX password: new password: re-enter the new password: passwd: all authentication tokens have been successfully updated. [zhangsan@centos01 ~] $4, command history, automatic logout

The command history mechanism of Shell environment provides great convenience for users, but on the other hand, it also brings potential risks to users. As long as you get the user's command history file, the user's command operation process will be at a glance. If you have entered a plaintext password on the command line, there will be another gap in the server's security barrier unwittingly. The number of records for history commands is controlled by the variable HISTSIZE, which defaults to 1000. All users in the system can be affected by changing the value of the HISTSIZE variable in the / etc/profile file. Examples are as follows:

[root@centos01 ~] # export HISTSIZE=5 [root@centos01 ~] # history 6 chage-d 0 zhangsan 7 export HISTSIZE=10 8 history 9 export HISTSIZE=5 10 history [root@centos01] # vim .bash _ logout # ~ / .bash_logouthistory-cclear [root@centos01 ~] # export TMOUT=500

It is important to note that you should avoid setting the TMOUT variable when you are performing longer operations such as compiling program code, modifying system configuration, and so on. You can unset the TMOUT variable by executing the "unset TMOUT" command if necessary.

III. User switching and rights raising

The Linux system provides us with two commands: su and sudo.

Su command: mainly used to switch users; sudo command: used to enhance the execution authority; 1. Su command-- switch users

The options available to the su command are as follows:

-: simply use -, for example, "su -" represents to log in to the system using login-shell 's variable file reading method; if no user name is specified, it represents the identity of switching to root.

-l: similar to "-", but you need to add the user account you want to switch, which is also the way of login-shell.

-m: indicates that the current environment settings are used without reading the configuration file of the new user's environment variables.

-c: the instruction is issued only once, so the command format is su-- c "head-n 3 / etc/shadow". The command in double quotation marks is the command to be executed.

Using the su command, you can switch to another user you specify, thus having all the permissions of that user. Of course, the password of the target user needs to be verified when switching (except when switching from a root user to another user).

By default, any user is allowed to use the su command, thus having the opportunity to repeatedly try the login passwords of other users, such as root, which poses a security risk. In order to strengthen the use control of the su command, we can use the pam_wheel authentication module to allow only a few users to use the su command to switch. The implementation process is as follows: add the users authorized to use the su command to the wheel group, and modify the / etc/pam.d/su authentication configuration to enable pam_wheel authentication. When pam_wheel authentication is enabled, other users who are not in the wheel group will not be able to use the su command and will be prompted to deny permission when trying to switch, thus keeping the permissions of the switching user to a minimum.

Examples are as follows:

[zhangsan@centos01 ~] $su password: [root@centos01 zhangsan] # cd [root@centos01 ~] # [zhangsan@centos01 ~] $su-- login password: last login: June November 23 07:53:15 on CST 2019pts/2 [root@centos01 ~] # [root@centos01 ~] # su zhangsan [zhangsan@centos01 root] $cd [zhangsan@centos01 ~] $[root@centos01 ~] # gpasswd-a zhangsan wheel is adding user "zhangsan" to " [root@centos01 ~] # grep wheel / etc/group wheel:x:10:test in "wheel" group Radmin,zhangsan [root@centos01 ~] # vim / etc/pam.d/su #% PAM-1.0auth sufficient pam_rootok.soauth required pam_wheel.so use_ UIDI @ centos01 ~] # $su-root password: su: deny permission

Switching users with the su command will be logged to the security log / var/log/secure file and can be viewed as needed.

2. Sudo command-- enhance the execution permission

You can easily switch to another user with the su command, but only if you know the login password of the target user. To switch from a normal user to a root user, you must know the password of the root user. For a Linux server in a production environment, each additional person who knows the privileged password increases the security risk.

The control of the sudo command is simply by adding authorization to the / etc/sudoers configuration file, which has a default permission of 440 and needs to be edited using a special visudo tool. Although you can edit it with vim, you must execute ": wq!" when saving. Command to force the operation, otherwise the system will be prompted as a read-only file and refuse to keep it.

In the configuration file / etc/sudoers, the basic configuration format of the authorization record is as follows:

User MACHINE=COMMANDS

Authorization configuration mainly includes three parts: user, host and command, that is, who is authorized to execute which commands on which hosts. The specific meaning of each part is as follows:

User (user): directly authorize the specified user name, or in the form of "% group name" (authorize all users of a group). Host (MACHINE): the name of the host that uses this profile. This part is mainly to facilitate the sharing of the same sudoers file among multiple hosts, which is generally set to the host name of localhost or time. Command (COMMANDS): a privileged command that allows authorized users to execute through sudo. The full path of the command program is required. Multiple commands are separated by commas.

In a typical sudo configuration record, each line corresponds to a sudo authorization configuration for a user or group. To authorize user zhangsan to execute the ifconfig command to modify the IP address, users of the wheel group can execute any command without verifying the password. Examples are as follows:

[root@centos01 ~] # vim / etc/sudoers root ALL= (ALL) ALLzhangsan localhost=/sbin/ifconfig% wheel ALL=NOPASSWD:ALL:wq! [zhangsan@centos01 ~] $sudo ifconfig ens32 192.168.100.20 255.255.255.0 [sudo] zhangsan password:

When there are more users using the same authorization, or when there are more authorized commands, you can use a centrally defined alias. The user, host, and command parts can all be defined as aliases (must be uppercase), which are set by the keywords User_Alias, Host_Alias, and Cmnd_Alias, respectively. Examples are as follows:

[root@centos01] # vim / etc/sudoers. User_Alias OPERATORS=lisi,wangwu,zhaoliu Host_Alias MAILSVRS=smtp,pop Cmnd_Alias PKGTOOLS=/bin/rpm,/usr/bin/yum OPERATORS MAILSVRS=PKGTOOLS

The command part of the sudo configuration record can use the wildcard character "*" and reverse the symbol "!" Which is especially useful when you need to authorize all commands in a directory or cancel individual commands. For example, the authorized user zhangsan can execute other commands in the / sbin/ directory except ifconfig and route, and enable logging:

[root@centos01 ~] # vim / etc/sudoers. Zhangsan localhost Defaults logfile = "/ var/log/sudo"

Note when using the sudo command:

1. The first time you execute a command through the sudo command, you must verify it with the user's own password, and then execute the sudo command again. As long as the interval between the previous sudo operation and the previous sudo operation is not more than 5 minutes, there is no need to repeat verification.

2. If you want to see which sudo authorizations the user has obtained, you can execute "sudo-l". If the word (ALL) ALL appears in the sudo permission list of a user, it means that the authorization is incorrect. At this time, the user has the right to execute all commands. If there is no error in the authorization list edited by the visudo command, you need to see if the user has been added to the wheel group and pam_wheel authentication is enabled.

IV. Safety control of switch

Usually, most servers are managed by remote login, while the local boot and terminal login process are easy to be ignored, leaving security risks. Especially when the environment of the computer room where the server is located is lack of strict and safe control system, how to prevent the unauthorized intervention of other users has become a problem that must be paid attention to.

1. Adjust the BIOS boot settings

1) set the first priority boot device (First Boot Device) to the disk where the current system is located.

2) it is forbidden to boot the system from other devices (such as CD, USB disk, network, etc.), and the corresponding item is "Disabled".

3) change the security level of BIOS to "setup" and set the administrative password to prevent unauthorized modification.

2. Disable the ctrl+alt+del shortcut key to restart [root@centos01 ~] # systemctl mask ctrl-alt-del.target [root@centos01 ~] # systemctl daemon-reload

To turn on the ctrl-alt-del shortcut key feature again, the example is as follows:

[root@centos01 ~] # systemctl unmask ctrl-alt-del.target Removed symlink / etc/systemd/system/ctrl-alt-del.target. [root@centos01 ~] # systemctl daemon-reload 3, limit the change of GRUB boot parameters

When the Linux system is started, you can enter the GRUB boot menu by pressing "e" in the following interface, and after modifying the configuration, you can enter the system environment without any password. This vulnerability is obviously a great loophole to the server, so you can do the following to set a password for the grub menu. Only by providing the correct password is allowed to modify the boot parameters:

Enter the password [root@centos01 ~] # grub2-mkpasswd-pbkdf2: Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.7CC8455D40E48C538EFD1A8541FD31AA47AE61F4F39BD9F6E54994208810EA376BFBB96C3DDC0890B9F5109F83D2C7DEDBEACFD82C50790663396800FB3A3D3B.ECEF6AB02079526822C2722ADC8E4427783F30C0CDA26BC930FA067F10C5D9A583DA5861D4546F2976FCEB037A3F3BEB0164C8748F1D40791656389DC72EC31B [root@centos01 ~] # cp / etc/grub.d/00_header / etc/grub.d/00_ header.bak [root @ centos01 ~] # cp / boot/grub2/grub.cfg / boot/grub2/grub.cfg.bak [root@centos01 ~] # vim / etc/grub.d/00_header cat Generating grub configuration file. .. / etc/grub.d/00_header.bak: line 360: warning: here-document at line 359 delimited by end-of-file (wanted `EOF') Found linux image: / boot/vmlinuz-3.10.0-693.el7.x86_64Found initrd image: / boot/initramfs-3.10.0-693.el7.x86_64.imgFound linux image: / boot/vmlinuz-0-rescue-2b580d1a2e8348b8aa9f78be11137b41Found initrd image: / boot/initramfs-0-rescue-2b580d1a2e8348b8aa9f78be11137b41.imgdone#tty5#tty6

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.