Shulou(Shulou.com)06/03 Report--

Today we are talking about account security control in Linux.

The user account is the identity certificate and identity of the computer user. everyone who wants to access the system resources must borrow his or her user account to enter the computer.

System account cleanup

In the Linux system, in addition to the various accounts created manually by users, there are also a large number of other accounts generated during the installation of the system or program. In addition to the superuser root, a large number of other accounts are only used to maintain the operation of the system, automate or maintain service processes, and are generally not allowed to log in, so they are also called non-login users.

1. First type grep "bash" / etc/passwd to see which users can log in to the current server.

2. Create a new user lisi, enter useadd lisi, click enter, and then enter passwd ilsi to set the password.

3, the next thing we need to do is how to control our useradd file, enter lsatt / etc/passwd / etc/shadow to see if the file is locked.

4. Now you need to lock the file and enter

Chattr + I / etc/passwd / etc/shadow/

5. At this time, we go to the file that has been locked, use useradd to see if we can create a user, and then type tail-5 / etc/passwd to see if it has been created successfully.

6. You can see that the user creation failed, and then unlock the input.

Chattr-I / etc/passwd / etc/shadow

7. You can see that the file is unlocked. Next, let's create a new user to see if it is successful.

Password security control

In different network environments, in order to reduce the risk that passwords are guessed or broken violently, users should get into the habit of changing passwords and avoid using a password for a long time. The administrator can limit the maximum valid days of a user's password on the server side. For users whose password has expired, login will be required to reset the password, otherwise the login will be refused.

1. Enter vim etc/shadow to view the password file of the account.

2. You can see that the password validity period of root and some existing users is permanent. Next, we modify the existing users in the configuration file, enter vim / etc/login.defs, and you can see that they are all password attributes. Press "/" enter 99999 to find the location, dw to delete, press "a" to change the password validity to 30 days, and wq to save and exit.

3. Enter the password file just now to see if it has been modified successfully.

4. At this time, add a new user, and then enter the password file for a maximum period of validity of 30 days.

5. Enter chage-M 30 wangwu to modify the validity period created by the user.

6. The next step is to use chage-d 0 to specify that the user will change his password the next time he logs in.

7. When we enter a new password, we will find that we cannot log in.

8. Let's enter a complex password to see if it is OK.

9. The discovery still failed because it does not allow the use of consecutive characters and consecutive Arabic numerals.

Command history, automatic logout

The command history mechanism of Shell environment provides great convenience for users, but on the other hand, it also brings potential risks to users. As long as you get the user's command history file, the user's command operation process will be at a glance. If you have entered a plaintext password on the command line, there will be another gap in the server's security barrier unwittingly.

1. Enter history to view the history of commands that have been entered.

2. All users in the system can be affected by modifying the value of the environment variable in the / etc/profile file.

3. The number of records of the history command defaults to 1000. We press "/" to query, Shift+R to replace, enter 20Powerwq to quit saving, and modify the history of the command to 20.

4. Enter history to see whether 20 historical commands are displayed.

5. You can find that the changes were not executed after saving and exiting. Enter source / etc/profile at this time, and then see if you can.

After each modification of the environment variable, be sure to type source / etc/profile to make it take effect if you don't want to restart it.

1. There is an environment variable configuration file in each user. Enter cd / home/zhanngsan and you can see the user environment variable configuration file.

2. Enter vim .bash _ logout to enter the configuration file.

3. Enter history-c clear wq in the configuration file to save the exit, so that the history command will be cleared after each logout.

Automatic logout

In the Bash environment terminal, you can also set an idle timeout period to log out the terminal automatically when there is no input after the specified time.

1. Enter vim / etc/profile to enter the configuration file.

2. The idle timeout is controlled by the variable TMOUT. The default unit is seconds. If you operate TMOUT in the configuration file, you will find that there is no such instruction.

3. Press "o" to enter export TMOUT=200,wq to save.

4. Enter source / etc/profile to execute.

Then the system client will log out automatically as long as it takes more than 200 seconds.

User switching and rights raising

Most Linux servers do not recommend that users log in directly as root users. On the one hand, it can greatly reduce the damage caused by errors, on the other hand, it can also reduce the risk of privileged passwords being disclosed in insecure networks. For these reasons, it is necessary to provide an identity switching or privilege escalation mechanism for ordinary users to perform permissions if necessary.

Su command-- switch users

Using the su command, you can switch to another user you specify, thus having all the permissions of that user.

1. At this time, we use an ordinary user to log in and enter su root to switch the administrator identity.

2. Enter grep "bash$" / etc/passwd to see who can log in.

3. Use su to switch back and forth between users.

By default, any user reading allows the use of the su command, thus having the opportunity to try other users' login passwords over and over again, posing a security risk. In order to strengthen the control of the use of the su command, we can use the pam_wheel authentication module to allow only a few users to switch using the su command.

4. You can see that as long as you know the password of root, you can switch to root to enter the password. What we will talk about next is to specify users to switch to root.

Enter vim / etc/pam.d/su to enter the configuration file.

Move to # auth, type dw delete # to open wheel, type wq to save and exit.

Type vim / etc/group to see what the user corresponding to wheel is.

Enter id akg to check whether the user is added to wheel by default

Now add the user bose to see if bose can switch root users.

We can see that permission is denied, and now bose cannot switch users. Then type gpasswd-a bose wheel to add to the wheel, and then switch users.

Sudo command-- elevate execution permissions

The sudo command allows ordinary users to have some administrative privileges, and it is necessary to tell it the user password of root, but it needs to be authorized in advance by the administrator to specify which users are allowed to execute which commands as superusers.

1. Enter vim / etc/sudoers to enter the configuration file.

2. We have previously added both akg and bose users to the wheel group. Enter the configuration file and see that wheel allows all users to execute all commands as superusers.

3. Create a new user lisi.

4. Enter id lisi to see that lisi does not belong to the wheel group.

5. Now let's switch lisi user login. After logging in, let's see if we can change the ip address. Right-click to open the terminal and enter ipconfig ens33 192.71.140.

6. It is found that the ip address can not be changed. Type which ifconfig to see which directory the command is in.

7. Ipconfig's command is in / sbin/. Enter sudo ifconfig 192.168.71.140 to change the ip address and prompt us to enter the user password.

8. But entering the password will prompt us that we are not in the sudoers.

9. Just now our bose and akg are in the wheel group. Now click Log out to switch users. Now we enter sudo ifconfig ens33 192.168.71.140 to modify the ip address.

10. If we want lisi users to also change the ip address, there is also a way. First, switch users to root, enter vim / etc/sudoers to enter the configuration file and write in the Host Aliases column: lisi (user) localhost (hostname) = / sbin/ifconfig (using the ifconfig command in sbin), wq save and exit.

11. After exiting the save, switch to the isi user and enter sudo ifconfig ens33 192.168.71.139. We can see that lisi can also modify the ip address.

PAM Security Certification

PAM is a pluggable authentication module in Linux system. There are security risks in using su command in Linux system. By default, any user is allowed to use su command, so there is an opportunity to try other users' login passwords repeatedly, which brings security risks.

In order to strengthen the control of the use of the su command, we can use the PAM authentication module to allow only a few users to switch using the su command.

1. PAM and its function

(1) PAM is an efficient, flexible and convenient user-level authentication method, and it is also a commonly used authentication method for Linux servers at present.

(2) PAM provides a central mechanism for authentication of all services, which is suitable for login, remote login, su and other applications.

(3) the system administrator formulates different authentication policies for different applications through PAM configuration files.

Principle of PAM authentication

(1) the order that PAM authentication generally follows: Service (service)-> PAM (configuration file)-> pam_*.so

(2) PAM authentication should first determine which service, then load the corresponding PAM configuration file (under / etc/pam.d), and finally call the authentication file for security authentication.

(3) when the user visits the server, a service program of the server sends the user's request to PAM without module for authentication. Different applications correspond to different PAM modules.

The structure of PAM authentication

(1) each line is an independent authentication process.

(2) each row can be divided into three fields:

1) Authentication type

2) Control type

3) PAM module and its parameters

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.