Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "what is a Linux account and how to ensure information security". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is the meaning of account security? what is account?

GNU/Linux controls access through users and user groups, and the default access control mechanism of Linux is relatively simple and direct.

A user generally refers to a person who uses a computer. The computer assigns a user name to each user, and the user uses these names to access the computer. In addition to people, some system services also set up accounts to manage service processes.

By default, root users exist in Linux. Root users have the highest permissions of the system and can perform all operations, while other accounts can only have partial permissions.

Linux has the concept of group. Users can control access to more members by modifying the permissions of the group. Each user must be a member of a group, which is a master group. Each user can only have one master group, but can have multiple subordinate groups.

Linux adds users through the useradd command and deletes users through userdel. Everything in UNIX is a file, so all the final changes will eventually be displayed as a file. You can check the integrity of the user profile (database) by calling pwck-s.

Secure allocation of accounts to ensure the safety of assets

Linux controls what users can view through access rights. Using the ls-l command, you can see the following:

It identifies each file's user, group, user access rights, group access rights, non-user and group access rights, file size, and the last modification time. Access rights include read (r), write (w), execute (x) permissions for the file. Controlling the access to the file can effectively prevent data leakage.

Sometimes installing a new software automatically creates a user and a group with the same name, which usually provides services for users or provides Web services, mail services, etc., for users on the network, and these software runs in its group, so that even if the software is attacked by the outside world, it cannot destroy the files of users who are not users to which the software belongs. It also creates a directory that belongs only to this account to prevent other users from tampering with it. These users are generally unlogged in and cannot use passwords, preventing them from entering the computer by exploding passwords. The following table shows information about some user groups and their impact files.

Group affects the file role of Adm

The wheel-like manager group ftp/srv/ftp/ accesses the FTP server Games/var/games to access some games. Log

Access the / var/log/ log file created by syslog-ng http/srv/http/ access the HTTP server file Sys

Right to administer printers in CUPSsystemd-journal/var/log/journal/\ * accesses system logs as read-only, unlike adm and wheel [1]. Users who are not in this group can only access the information they generate. Users

Standard user group Uucp/dev/ttyS [0-9] +, / dev/tts/ [0-9] +, / dev/ttyUSB [0-9] +, / dev/ttyACM [0-9] + serial port and USB devices, such as cat, handle RS-232/ serial port. Wheel

Administrative groups, typically used for sudo and su command permissions. Systemd allows wheel group users who are not root to start the service.

Manual editing of the following files is not recommended. It is better to edit with relevant tools to avoid file errors.

File function / etc/shadow save user security information / etc/passwd user account information / etc/gshadow save group account security information / etc/group defines the group to which the user belongs / etc/sudoers can run sudo user / home/* home directory account configuration account basic information

The basic information of the account is stored in / etc/passwd. In this file, each user's account information is stored on a row. The account information consists of seven fields separated by a colon (":"), expressed from left to right as: account number, password, user ID, group ID, user introduction, home directory, default shell.

1. Name:password:UID:GID:GECOS:directory:shell

The detailed description of the field is as follows:

Account: user name, cannot be empty, cannot contain uppercase letters, and must comply with standard UNIX naming rules

Password: encrypted user password, or asterisk, but in fact this location is usually "x". There is something special here, which will be described in detail later.

User ID: each user and group has a corresponding UID and GID (user ID and group ID). In general, the default UID for the first non-root user is 1000, and the UID of the subsequently created user should also be greater than 1000. The GID of a specific user should belong to the specified primary group, and the ID value of the group is listed in the / etc/group file.

Group ID: the user's primary group ID

User introduction: can be empty, usually account user information, such as user name, Email, etc., separated by English comma (",")

Home directory: used by the login command to set the $HOME environment variable. It is safe to set the user home directory to "/" for some services, but it is not recommended for ordinary users.

Default shell: the program that runs at login (if empty, / bin/sh is used as the default shell). If set to an execution (program) that does not exist, the user cannot log in through login.

Use shadow files to store passwords in the new version of Linux. The passwd file is readable to everyone, and it is insecure to store passwords in it, whether encrypted or not. In the password field, a placeholder character (x) is usually used instead. Encrypted passwords are stored in the / etc/shadow file, which restricts access to ordinary users.

Example:

1. Jack:x:1001:100:Jack Smith,some comment here,:/home/jack:/bin/bash

Breakdown instructions: the user login name is jack, the password is saved in / etc/shadow,UID is 1001, the ID of the first group is 100th (users group), the full name is Jack Smith with some comments, the home directory is / home/jack, and use Bash as the default shell.

Account password information

/ etc/shadow is a file for users to store account security information, including password, account expiration time and other settings. This file cannot be operated by ordinary users, which ensures security to a certain extent.

/ etc/shadow file contains 9 fields per line, also separated by a colon (":"), which are login name, encrypted password, last password change time, password must not be changed days, maximum password use days, password warning period, password idle period, account expiration time, reserved field. The meaning of each field is described in detail below:

Login name: same as the account of / etc/passwd, used for login

Encrypted password: the password encrypted by crypt

Last password change time: the time when the password was last changed, indicating the number of days since January 1, 1970. A value of 0 has a special meaning, that is, users should change their password the next time they log on to the system. An empty field indicates that the password aging feature is disabled.

The number of days that the password cannot be changed: this field indicates that the password cannot be modified before this number of days, which is the number of days between the last time the password was changed. An empty field and a value of 0 means that it can be modified at any time.

Maximum password days: the user must change the password after this number of days. After this number of days, the password may still be valid. Users are required to change their password the next time they log in. A blank field indicates that there is no maximum password expiration, no password warning period, and no password idle period (see below). If the maximum password age is less than the minimum password life, users cannot change their password.

Password warning period: during this period, the user is reminded to change the password. A blank field and a value of 0 indicate that there is no password warning period.

Password idle period: the number of days after the password expires (see the maximum password life above), during which time the password should still be accepted (users should update their password the next time they log in). After the password expires and this expiration time has elapsed, you will not be able to log in using the current user's password. Users should contact the administrator.

Account expiration time: this field represents the number of days since January 1, 1970. Please note that the validity period of the account is different from that of the password. If the account expires, the user is not allowed to log in. If the password expires, users are not allowed to log in with their password. An empty field indicates that the account will never expire. A value of 0 should not be used because it will be interpreted as the account expires on January 1, 1970.

Reserved field: this field is reserved for future use and is not enabled for now.

Example:

1. Jack:$6 $atIauuQ5 $mh7ombrRsUxHxJ8uZGerdSUXSuBiOAzkfRgn2wrR69K5IbOANpHlBeY43BqmNkPy7Ho3XrGKu6CGIxc9nqjiS/:18303:1:10:7:7::

Breakdown description: login name is jack, encrypted password is $6 $atIauuQ5 $mh7ombrRsUxHxJ8uZGerdSUXSuBiOAzkfRgn2wrR69K5IbOANpHlBeY43BqmNkPy7Ho3XrGKu6CGIxc9nqjiS/, the last time to change the password is February 11, 2020, the password cannot be changed before February 12, 2020, the password must be changed after February 21, 2020, the password will be required to be changed from February 14, 2020, and the password can still be used before February 28, 2020, but the password must be changed after logging into the system. Otherwise, the account will no longer be able to log in after February 28, 2020, and the account expiration time has not been set.

User group information

Each user in Linux must have one belonging group, and there can be only one, but there can be multiple subordinate groups. The subordinate group is set in the fourth field in the passwd file, and the dependent group is set in the group file.

Introduction to Group file

Like other files, group files occupy one line per group and are divided into four fields using colons. They are group name, password, group ID, and users in the group. The meaning of each field is described in detail below:

Group name: group name

Password: similar to passwd files, encrypted group user passwords, or asterisks, but the actual location is usually "x" something special.

Group ID: the digital ID of the group.

Users in the group: the user names of all members of the group, separated by commas.

Introduction to Gshadow file

The Gshadow file also occupies one line for each group and is divided into four fields using colons. They are group name, encrypted password, administrator, and member.

Group name: must be a valid group that already exists in the system

Encrypted password: the password encrypted by crypt

Administrator: must be a comma-separated list of user names. Administrators can change group passwords and members. Administrators also have the same permissions as members.

Member: must be a comma-separated list of user names. Members can access the group without password.

View the information that the system has been cracked by force.

The login information of each user is recorded, regardless of success or failure. You can view the login history through the command last command, and check the login failure record with the lastb command. They are eventually obtained by reading the / var/log/wtmp and / var/log/btmp files, both of which are binary files that store the utmp (in the Linux C header file) structure.

The following figure shows some failed attempts to log in to the server found through the lastb command. A host with an IP of 39.105.202.21 was found to have tried to log in to the host several times between 12:00 and 14:00 on March 7. The command sudo lastb | grep "39.105.202.21" | wc-l can see that a total of 2213 attempts have been made, and it can be inferred that it is trying to violently crack the login password.

You can also check whether the IP is logged in successfully with the last command, and if so, the user's password must have been successfully cracked, and if not, the file has been tampered with.

Linux password protection

It is easy to leak the password when logging in and entering the password. In the traditional encryption method, the password can be easily guessed through the rainbow table, and even the SHA256/SHA512 can search the online decryption website on the Internet for decryption. As long as the password is the same, the encryption result must be the same, so the password is calculated once, and you can check the table when you want to crack it. Today, the MD5/SHA1 hash algorithm has been broken, even after adding salt before encrypting the password is no longer safe.

In Linux, the crypt algorithm is used to encrypt the password, even if the same password is used every time, the final encryption result is different. Salt is a maximum of 16-bit strings randomly selected in [a-zA-Z0-9.9 /], with a total of 4096 interference methods, which makes it difficult to crack passwords through dictionaries, and each password needs to be recalculated.

Passwords in Linux are saved in a fixed format:

$id$salt$encrypted

Id is a number indicating how random numbers are generated for passwords and salt

IDMethod1MD52aBlowfish (not in mainline glibc; added in some Linux distributions) 5SHA-256 (from glibc 2.7) 6SHA-512 (from glibc 2.7)

Salt is a random string consisting of uppercase and lowercase letters, numbers, periods (.) and "/" that does not exceed 16 bytes.

Encrypted: ciphertext generated by the combination of plaintext password and random salt, and then through the hash function. The ciphertext lengths of different hash algorithms are as follows:

Algorithm length MD522 character SHA-25643 character SHA-51286 character "what is a Linux account and how to ensure information security" is introduced here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.