Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to prevent illegal user registration in UNIX. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Due to the openness of SCO Unix operating system, the sharing of network system, the versatility of database and other factors, the security of data information in Unix operating system is becoming more and more prominent, especially the security management of terminal port is an important part of information system security. Due to the defects of the operating system itself, coupled with the dispersion of business outlets and other factors, leaving remote terminals including DDN dedicated lines and MODEM dial-up ports and external service terminals can not be specially supervised, providing a convenient door for illegal entrants, therefore, efforts must be made to strengthen the port security management of the Unix operating system, increase port passwords and limit login port users and working hours.

How it works:

The whole process of operating system user registration and login is as follows: the user opens the terminal and enters the user name after login: and the password after passwd:. After receiving the user name and password, the operating system checks the validity with / etc/passwd and / etc/shadow files, and compares the registered name UID code, GID code (representing user group), GCOS domain (user personal information), registration directory, registration shell (usually / bin/sh, that is, Baurne shell). Then read the information about the terminal port, find the / etc/dialups file, / etc/d_passwd file, and finally launch the .profile file in / etc/profile and the user root directory (in the case of c_shell, execute .login and .CShrc in the / etc/CSh.login and user root directory In the case of korn shell, the file defined by the environment variable ENV) is executed to configure the user environment variable to find the mail information that prompts the user.

Throughout the above process analysis, we can simply add the terminal port device number in the / etc/dialups file and the password in the / etc/d_passwd file to limit illegal login, which is one of them. We can also modify the / etc/profile file to add a program to compare it with our preset files about users, ports, working hours, and so on, to determine whether the login port, date and time of the current registered user is within the range we allow, otherwise registration is not allowed. The reason for modifying the file / etc/profile instead of using the file $home/.profile is that using the file / etc/profile is more convenient for large-scale control and processing, which is the second. In addition, the last part of the login process for a legitimate user is to set the user environment variables and terminal information according to the $HOME/.profile in the user's root directory. We can add the startup command of the user's business handler at $HOME/.profile and make it log out of the login state, so as to reduce the chance of using the / bin/sh command in the user's root directory. Ensure the security of the files in the user's root directory.

Based on the above principles, we have come up with three effective ways to strengthen the management of terminal port restrictions:

1. Add port password to restrict remote login

Remote login includes dialing through MODEM, accessing the server through DDN private line, and logging in to the system through terminal server, hub, etc. The port numbers of the MODEM and DDN dedicated access servers are / dev/tty1A and / dev/ttya?,. For 0, 1, 2. The port number to access the server through terminal servers, routers, and hubs is / dev/ttyp? , among them? For 0, 1, 2. Wait. In this case, pseudo-tty device files are used, and usually the login port is not fixed. Therefore, the fixed communication server port setting program must be executed first, which is provided by the communication server manufacturer along with the product. Restrict remote login by adding dial-in passwords to these device ports.

2. Limit the user to log in at the specified port and within the specified time

When the user registers and logs in to the Unix operating system, the system file / etc/profile must be executed, and we modify this file to let the system read the user name, port name, weekly working date, daily working time, and daily closing time. Then check the validity of user registration and login according to this file, the port name is not restricted in this file, the port name is in this file, but the user name is incorrect, the user name and port name are correct, but the working hours are not allowed to log in.

3. Run the business handler immediately when the user registers and log in, and exit / bin/sh when the user exits the business handler.

After reading the above, do you have any further understanding of how to prevent illegal user registration in UNIX? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.