Linux system security management

Article catalog

1, Account security control

1.1: basic measures for account security
1.1.1: system account cleaning

● set the Shell of non login user to / sbin/nologin

[root@lpf ~]# grep "/sbin/nologin$" /etc/passwd		#View non logged in users'
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
...Omit part of the content
[root@lpf ~]# grep "bash$" /etc/passwd		        #View currently logged in users'
[root@lpf ~]# vi /etc/passwd

● lock accounts that are not used for a long time

[root@lpf ~]# useradd tom
[root@lpf ~]# passwd tom
passwd: All authentication tokens have been successfully updated.
[root@lpf ~]# usermod -L tom
[root@lpf ~]# passwd -S tom
tom LK 2020-06-22 0 99999 7 -1 (The password is locked.)
[root@lpf ~]# usermod -U tom
[root@lpf ~]# passwd -S tom
tom PS 2020-06-22 0 99999 7 -1 (Password set, use SHA512 Algorithm.)
[root@lpf ~]# usermod -L tom

[root@lpf ~]# vi /etc/shadow
tom:!$6$ewqXSVmV$nWbW74WqfC110ty8nz48c7SZw.rXUqWfgZmLJitEILuquAv9ESfqu1bR6MJYr03eHClD5qyUfhNmeMjXpB5BG/:18435:0:30:7:::                       #Password placeholder is! , unable to log in
//Put it! Get rid of it and you can log out
[root@lpf ~]# passwd -S tom
tom PS 2020-06-22 0 30 7 -1 (Password set, use SHA512 Algorithm.)    #Display unlocked

● delete useless account

Some of the non login users are rarely used, such as news, uucp, games, gopher, etc. These users can be regarded as redundant accounts and can be deleted directly

In addition, there are some user accounts installed with the application program. If the program fails to be automatically deleted after uninstallation, it needs to be manually deleted

[root@lpf ~]# userdel -r tom                                     #Delete user and home directory

● lock account files passwd and shadow
[ root@localhost ~]#Chat + I / etc / passwd / etc / shadow
[ root@localhost ~]#Isattr / etc / passwd / etc / shadow ා lock the file and view the status

[root@lpf ~]# chattr +i /etc/passwd /etc/shadow
[root@lpf ~]# lsattr /etc/passwd /etc/shadow
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@lpf ~]# chattr -i /etc/passwd /etc/shadow   #File unlocking
[root@lpf ~]# lsattr /etc/passwd /etc/shadow
--------------- /etc/passwd
--------------- /etc/shadow
1.1.2: password security control

● set password validity period
● require the user to change the password at the next login

For new users
[root@lpf ~]# vi /etc/login.defs
PASS_ MAX DAYS
30
 For existing users
[root@lpf ~]# chage -M 30 lisi
 [ root@lpf  ~]#ABCD force password change at next login
[root@lpf ~]# vi /letc/profile
HISTSIZE=200
[root@lpf ~]# vi ~/.bash_ logout                   #Auto clear history command after account exit
history -C
clear
1.1.3: command history, automatic logout

Command history limit

Reduce the number of recorded commands: in bash terminal environment, the number of historical command records is controlled by the variable HISTSIZE, which is 1000 by default. By modifying the HISTSIZE variable value in the / etc/profile file, you can affect all users in the system

[root@lpf ~]# vi ~/.bash_ profile

............

export TMOUT=600 ා set to automatically cancel the account after 600 seconds

[ root@lpf  ~]#VI / etc / profile for users not created, use this command to modify the configuration file  
Omit part of
 Change HISTSIZE=1000 to HISTSIZE=200		

[ root@lpf  ~]#Export histsize = 200 ා this command is applicable to the current user, with timely effect
 'after editing the / etc/profile file, you need to use the command source /etc/profile or reboot it to make it effective'
1.2 user switching and rights raising

Most Linux servers do not recommend that users log in directly as root.

On the one hand, it can greatly reduce the damage caused by misoperation

On the other hand, it also reduces the risk of the privileged password being leaked in the insecure network

su, sudo two commands

su command is mainly used to switch users

sudo command is used to enhance execution permission

1.2.1: su command - switch user
  1. With the su command, you can switch to another specified user, thus having all the permissions of that user

The password of the target user needs to be verified when switching (not required to switch from root to other users)

su command basic format (Substitute User)
su - target user
 [ root@localhost  ~]#Su - Lisi - switching from root to another user does not require a password '
[ lisi@localhost  ~]$Su - root - password required to switch from other users to root '

In the above operations, "-" is equivalent to "- login" "- l", which means to enter the login shell environment of the target user after switching. If this option is missing, only the identity will be switched, and the user environment will not be switched
[tom@lpf opt]$ su root
 password:
[ root@lpf  Opt] ා exit ා switch to root, but keep the current shell environment
exit
 [ tom@lpf  Opt] $Su - root - switch to the shell environment of the new account
 password:
Last login: one June 22 18:47:39 CST 2020pts/0
[root@lpf ~]# 
  1. Restrict users to su commands

Add users who are allowed to use the su command to the wheel group

[root@lpf ~]# gpasswd -a radmin wheel              #Add users to the wheel group
//Adding user 'radmin' to the 'wheel' group
[root@lpf ~]# grep wheel /etc/group
wheel:x:10:radmin
[root@lpf ~]# vi /etc/pam.d/su                      #Enable the pam-WHEEL authentication module
#%PAM-1.0
auth            sufficient      pam_rootok.so             

Uncomment the following line to implicitly trust users in the "wheel" group.

auth            sufficient      pam_wheel.so trust use_uid

Uncomment the following line to require a user to be in the "wheel" group.

auth            required        pam_wheel.so use_uid      #note off
auth            substack        system-auth
auth            include         postlogin
[root@lpf ~]# su lpf
[lpf@lpf root]$ su radmin
//password:
su: Deny permission
[lpf@lpf root]$ su root
//password:
su: Deny permission
1.3: PAM security authentication in Linux
1.3.1:su command security risks
  • By default, any user is allowed to use the su command, so there is an opportunity to repeatedly try other users' login passwords, which brings risks

    With PAM_ The wheel authentication module can implement the su command for the specified permitted users

1.3.2 principle of PAM certification

1) PAM (Pluggable Authentication Modules) pluggable authentication module is an efficient, flexible and convenient user level authentication mode, which is also widely used in current Linux servers
2) PAM authentication generally follows the order: Service → PAM (configuration file) → pam_*.so (. So suffix represents module file)
3) PAM authentication first determines which service, then loads the corresponding PAM configuration file (located under /etc/pam.d), and finally calls the authentication file (located under /lib/security) for security authentication.
4) When users access the server, a service program of the server sends users' different requests to PAM module for authentication
5) Different applications have different PAM modules

1.3.3 composition of PAM certification

To check whether a program supports PAM authentication, you can use ls command, for example, to check whether su supports PAM module authentication

[root@lpf ~]# ls /etc/pam.d | grep su

Check the PAM configuration file of Su: cat /etc/pam.d/su

Each line is an independent authentication process

Each line can be divided into three fields (authentication type, control type, PAM module and its parameters)

There are four types of PAM authentication: authentication management, account management, password management and session management

1.3.4: PAM safety certification process

1.4: use sudo mechanism to enhance permissions
1.4.1: disadvantages of su command

It is very convenient to switch to another user after using su command, but only if you know the login password of the target user
For Linux servers in the production environment, the security risk increases by one point for each additional person who knows the privileged password

1.4.2: use and usage of sudo command

Purpose: to execute authorized commands as other users (such as root)

Usage: sudo + authorization command

1.4.3: configure sudo authorization

vi sudo or vi /etc/sudoers: the configuration file of sudo mechanism is / etc/sudoers, and the default permission of the file is 440, which needs to be edited by special visudo tools. If you edit with vi, you must execute ": w!" when saving Command to force the operation, otherwise the system will prompt for read-only file and refuse to save

[root@lpf ~]# visudo

zhangsan localhost=/sbin/useradd,/bin/passwd,!/sbin/ifconfig
%wheel  ALL=(ALL)       NOPASSWD: ALL
 User host name list = command program list
 *: general symbols
 ! : reverse symbol
 %: representative group
1.4.4: sudo experiment
Experiment 1
[root@lpf ~]# id tom
uid=1005(tom) gid=1005(tom) group=1005(tom)
[root@lpf ~]# id radmin
uid=1004(radmin) gid=1004(radmin) group=1004(radmin)

[root@lpf ~]# vi /etc/sudoers

tom lpf=/sbin/*,!/sbin/ifconfig
radmin lpf=/sbin/ifconfig
%wheel  ALL=(ALL)       NOPASSWD: ALL

[root@lpf ~]# su tom
[tom@lpf root]$ sudo ifconfig ens33:2 192.168.200.10/24
[sudo] tom Password for:
//Sorry, user tom is not authorized to execute / sbin/ifconfig ens33:2 192.168.200.10/24 on lpf as root.

[root@lpf ~]# su radmin
[radmin@lpf root]$ sudo ifconfig ens33:2 192.168.200.10/24
[sudo] radmin Password for:
[radmin@lpf root]$ ifconfig

ens33:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.200.10  netmask 255.255.255.0  broadcast 192.168.200.255
        ether 00:0c:29:2f:0b:bb  txqueuelen 1000  (Ethernet)
 //Experiment 2
[root@lpf ~]# visudo
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
tom     ALL=(ALL)       ALL                    #Give tom administrator permission
#tom lpf=/sbin/*,!/sbin/ifconfig
radmin lpf=/sbin/ifconfig
[tom@lpf root]$ sudo ifconfig ens33:3 192.168.200.20/24
ens33:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.200.20  netmask 255.255.255.0  broadcast 192.168.200.25
1.4.5: View sudo operation records
  • View sudo operation records

    Default logfile configuration needs to be enabled

    Default log file / var/log/sudo

    [root@lpf ~]# vi sudo 'vi sudo profile'
    //Add in profile
    Defaults logfile = "/var/log/sudo"		'Add it to the profile'
    
    [root@lpf ~]# su - tom 'switch to tom user'
    [wangwu@lpf ~]$ sudo ifconfig ens33 22.22.22.22		'Do an operation to see if the log file will be recorded'
    [sudo] tom Password for:
    [root@lpf ~]# cat /var/log/sudo 'view log file'
        COMMAND=/sbin/ifconfig ens33 22.22.22.22		'The operation just shown in it'
    

2: System boot and login control

2.1: switch safety control
2.1.1: adjust BIOS boot settings

Set the first boot device as the hard disk of the current system
Do not boot the system from other devices (CD, U SB, network)
Set the security level to setup and set the administrator password

2.1.2: GRUB limit

Use grub2-mkpasswd-pbkdf2 to generate secret key
Modify / etc / grub.d/00_ In the header file, add the password record
Generate new grub.cfg configuration file

2.1.3: experiment process
[root@lpf ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak		
                                        #Backup grub profile
[root@lpf ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak		                         #Add / etc / grub.d/00_ Back up the header file
[root@lpf ~]# grub2-setpasswd		 #Start encrypting your own password
//Enter password: ා for example, enter 123123
Reenter password: 		                 #Repeat 123123
[root@lpf ~]#cat /boot/grub2/user.cfg    #Check whether the password is added
[root@lpf ~]# reboot	              #Press e to verify GRUB password after restart
2.2: terminal login security control
2.2.1: restrict root to log in only at the security terminal
  • Security terminal configuration / etc/securetty

    [ root@localhost ~]#VIM / etc / securetty "enter terminal configuration"
    ... Omit part of the content
    vc/9
    vc/10
    vc/11
    tty1
    #Tty2 "forbid terminal tty2 to log in, and input" no "in front of it."
    #Tty3 "forbid terminal tty3 to log in, and input" no "in front of it."
    tty4
    tty5
    tty6
    tty7
    ... Omit part of the content

    Add tty

    tty: general term for terminal equipment.

    tty originated from Teletypes, or Teletypes, originally refers to teletypewriters, which read and send information through printer keyboard through serial line. Later, it was replaced by keyboard and display, so it is more suitable to call terminal now. Terminal is a kind of character type equipment, which has many types. tty is usually used to abbreviate various types of terminal equipment.

    tty1-6 is text console and tty7 is X Window graphic display manager.

    On the local machine, you can use Ctrl+Alt+F1 (F1-F7) to switch to the corresponding login console.

    2.2.2: normal users are not allowed to log in
    • Create / etc/nologin file

    • Delete nologin file or restore to normal after restart

      [ root@lpf  ~]#Touch / etc / nologin 'Disable normal user login'
      [ root@lpf  ~]#RM - RF / etc / nologin 'remove the above login restrictions'
      "Usually used for maintenance (only root user can log in, other users can't log in)"
          
      for example
      [root@lpf ~]# touch /etc/nologin
       At this time, use other users to log in. Even if the password is entered correctly, it will prompt that the password does not work, so the user cannot log in. Only root can log in
      [root@lpf ~]#rm -rf /etc/nologin
       At this time, after removing the previous login restriction, other users can log in normally
      

3, Weak password detection

3.1: joint the Ripper, referred to as JR
  • A cryptanalysis tool that supports dictionary style brute force cracking
  • Through password analysis of shadow file, password strength can be detected
  • If you need resources, you can do it yourself
3.2: weak password experiment: check your password through john tool
[root@lpf ~]# cd /opt                          #Upload software to / opt
[root@lpf opt]# ll
//Total consumption 5324
-rw-r--r--. 1 root root 5450412 6 22 23:59 john-1.8.0.tar.gz
drwxr-xr-x. 3 root root      16 6 October 09:09 opt
drwxr-xr-x. 2 root root       6 10 31 / 2018 rh
[root@lpf opt]# tar zxvf john-1.8.0.tar.gz

[root@lpf opt]# cd john-1.8.0
[root@lpf john-1.8.0]# ll
//Total dosage 4
drwxr-xr-x. 2 root root  208 6 23:00:00 doc
lrwxrwxrwx. 1 root root   10 5 30 / 2013 README -> doc/README
drwxr-xr-x. 2 root root  143 6 23:00:00 run
drwxr-xr-x. 2 root root 4096 6 23:00:00 src
[root@lpf john-1.8.0]# cd src
[root@lpf src]# make clean linux-x86-64
[root@lpf run]# ll
......
-rwxr-xr-x. 1 root root  283184 6 23:00:03 john   #Confirm that the executable program john has been generated

[root@lpf src]# cd ..
[root@lpf john-1.8.0]# ll
//Total consumption 8
drwxr-xr-x. 2 root root  208 6 23:00:00 doc
lrwxrwxrwx. 1 root root   10 5 30 / 2013 README -> doc/README
drwxr-xr-x. 2 root root  198 6 23:00:03 run
drwxr-xr-x. 2 root root 4096 6 23:00:03 src
[root@lpf john-1.8.0]# cd run
[root@lpf run]# cp /etc/shadow /root/shadow.txt     #Prepare password file to be cracked
[root@lpf run]# ./john /root/shadow.txt
Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (radmin)
123456           (tom)
123456           (root)
123456           (lpf)
4g 0:00:00:28 100% 2/3 0.1418g/s 417.2p/s 427.4c/s 427.4C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[root@lpf run]# ./john --show /root/shadow.txt             #View password
root:123456::0:99999:7:::
lpf:123456::0:99999:7:::
radmin:123456:18435:0:30:7:::
tom:123456:18435:0:30:7:::

4 password hashes cracked, 0 left
[root@lpf run]#  ./john --w:/root/passwd.lst /root/shadow.txt 
Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64])
No password hashes left to crack (see FAQ)         #If there is a bug, delete the cracked password and then crack it
[root@lpf run]# vi john.pot                         #100dd delete
[root@lpf run]# ./john --wordlist=./password.lst /root/shadow.txt
Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (radmin)
123456           (tom)
123456           (root)
123456           (lpf)
4g 0:00:00:00 100% 4.395g/s 105.4p/s 421.9c/s 421.9C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed

4: Port scan

4.1: NMAP

A powerful network scanning and security detection tool

It can detect which hosts in the LAN are online, or which ports are opened in a host

Scan syntax for NMAP

nmap [scan type] [options] < scan target >

Common scan types

-sS,-sT,-sF,-sU,-sP,-P0

-sT: TCP port

-sU: UDP port

-sP: ping

4.2: nmap experiment
[root@lpf run]# rpm -q nmap
//Package nmap is not installed 
[root@lpf run]# yum install nmap -y
...Omitted here
[root@lpf run]# nmap -sP 20.0.0.0/24       #Check which hosts are online in the 20.0.0.0 network segment
Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-23 00:40 CST
Nmap scan report for 20.0.0.1
Host is up (0.00052s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 20.0.0.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:E9:D3:80 (VMware)
Nmap scan report for 20.0.0.41
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.09 seconds

[root@lpf run]# nmap -sT 20.0.0.41       #Check which tcp ports are open in 20.0.0.41

Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-23 00:41 CST
Nmap scan report for 20.0.0.41
Host is up (0.00092s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
6000/tcp open  X11

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds


5, Exercise:

  1. Only user radmin is allowed to use su command
[root@lpf ~]# useradd radmin
[root@lpf ~]# passwd radmin
 Change the password of user radmin.
New password:
Invalid password: password is less than 8 characters
 Reenter new password:
passwd: all authentication tokens have been successfully updated.
[root@lpf ~]# gpasswd -a radmin wheel
 Adding user 'radmin' to the 'wheel' group
[root@lpf ~]# grep wheel /etc/group
wheel:x:10:radmin
[root@lpf ~]# vi /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so             
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth            sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_ wheel.so  use_ Uid - uncomment
auth            substack        system-auth
auth            include         postlogin
[root@lpf ~]# su lpf
[lpf@lpf root]$ su radmin
 password:
su: deny permission
[lpf@lpf root]$ su root
 password:
su: deny permission
  1. Allow user zhangsan to manage employee account through sudo
[root@lpf ~]# visudo

zhangsan ALL=(ALL)       NOPASSWD: ALL
%wheel   ALL=(ALL)       NOPASSWD: ALL
  1. Allow user lisi account to execute privileged command through sudu
[root@lpf ~]# vi /etc/sudoers

lisi localhost=/sbin/ifconfig

#Format user machine = commands
  1. Record Su and sudo operations and make simple system security settings

    By default, actions performed in sudo mode are not recorded. To enable sudo logging, add the "Defaults logfile" option to the / etc / suppliers file.

    As follows: add sudo logging function

    [root@lpf lpf]# vi /etc/sudoers
    
    Defaults logfile="/var/log/sudo"
    Defaults logfile="/var/log/su"
    
    [root@lpf ~]# vi /etc/profile
    
    HISTSIZE=200                   #Default 1000, set 200 to reduce the number of commands in history
    
    [root@lpf ~]# vi ~/.bash_logout
    
    # ~/.bash_logout
    
    history -c                     #Exit account history command
    clear
    
    [root@lpf ~]# vi ~/.bash_profile
    
    export PATH
    export TMOUT=600              #Add settings for 600 seconds, and automatically log out after 600 seconds of inactivity
    
    [root@lpf ~]# vi /etc/login.defs
    # Use SHA512 to encrypt password.
    
    ENCRYPT_METHOD SHA512
    PASS_MAX_DAYS 30             #Set password validity for 30 days
    
  2. Disable Ctrl + Alt + Del shortcut key, and prevent root user from logging in from tty5, tty6
    [root@lpf ~]# vim /etc/securetty
    
    tty4
    #tty5
    #tty6
    tty7
    tty8
    
  3. Enable password restriction for GRUB boot menu
[root@lpf ~]# grub2-setpassword
Enter password:                         #Input 123456
Confirm password:                       #Input 123456
[root@lpf ~]# cat /boot/grub2/user.cfg  #Check whether the password is added
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.1A32A17287DE9542A66EF5629975A9DA5BA2BB4D5554B10DA0F410BC911264A640ADD82574A9F5A0AF2A840239516A3F31685BA69F6270D5901022131C6B879F.89AC4391BFD9425A11FE6E4FD373BE91F40F7E5581857C9E76F6720FABF121F13A6CF586F00DF817B0E5FD8961266AE0DEB056131FC443D4F98E06313680CEF8zha
[root@lpf ~]# reboot                    #Press e to obtain GRUB editing permission and enter root 123456 for verification

Tags: sudo Linux shell network

Posted on Wed, 24 Jun 2020 23:16:52 -0400 by gsaldutti