Linux system security management

Article catalog 1, Account security control 1.1: basic measures for account security 1.1.1: system account cleaning 1...

Article catalog

1, Account security control 1.1: basic measures for account security 1.1.1: system account cleaning

● set the Shell of non login user to / sbin/nologin

[root@lpf ~]# grep "/sbin/nologin$" /etc/passwd #View non logged in users' bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ...Omit part of the content [root@lpf ~]# grep "bash$" /etc/passwd #View currently logged in users' [root@lpf ~]# vi /etc/passwd

● lock accounts that are not used for a long time

[root@lpf ~]# useradd tom [root@lpf ~]# passwd tom passwd: All authentication tokens have been successfully updated. [root@lpf ~]# usermod -L tom [root@lpf ~]# passwd -S tom tom LK 2020-06-22 0 99999 7 -1 (The password is locked.) [root@lpf ~]# usermod -U tom [root@lpf ~]# passwd -S tom tom PS 2020-06-22 0 99999 7 -1 (Password set, use SHA512 Algorithm.) [root@lpf ~]# usermod -L tom [root@lpf ~]# vi /etc/shadow tom:!$6$ewqXSVmV$nWbW74WqfC110ty8nz48c7SZw.rXUqWfgZmLJitEILuquAv9ESfqu1bR6MJYr03eHClD5qyUfhNmeMjXpB5BG/:18435:0:30:7::: #Password placeholder is! , unable to log in //Put it! Get rid of it and you can log out [root@lpf ~]# passwd -S tom tom PS 2020-06-22 0 30 7 -1 (Password set, use SHA512 Algorithm.) #Display unlocked

● delete useless account

Some of the non login users are rarely used, such as news, uucp, games, gopher, etc. These users can be regarded as redundant accounts and can be deleted directly

In addition, there are some user accounts installed with the application program. If the program fails to be automatically deleted after uninstallation, it needs to be manually deleted

[root@lpf ~]# userdel -r tom #Delete user and home directory

● lock account files passwd and shadow
[ root@localhost ~]#Chat + I / etc / passwd / etc / shadow
[ root@localhost ~]#Isattr / etc / passwd / etc / shadow ා lock the file and view the status

[root@lpf ~]# chattr +i /etc/passwd /etc/shadow [root@lpf ~]# lsattr /etc/passwd /etc/shadow ----i----------- /etc/passwd ----i----------- /etc/shadow [root@lpf ~]# chattr -i /etc/passwd /etc/shadow #File unlocking [root@lpf ~]# lsattr /etc/passwd /etc/shadow --------------- /etc/passwd --------------- /etc/shadow
1.1.2: password security control

● set password validity period
● require the user to change the password at the next login

For new users [root@lpf ~]# vi /etc/login.defs PASS_ MAX DAYS 30 For existing users [root@lpf ~]# chage -M 30 lisi [ root@lpf ~]#ABCD force password change at next login
[root@lpf ~]# vi /letc/profile HISTSIZE=200 [root@lpf ~]# vi ~/.bash_ logout #Auto clear history command after account exit history -C clear
1.1.3: command history, automatic logout

Command history limit

Reduce the number of recorded commands: in bash terminal environment, the number of historical command records is controlled by the variable HISTSIZE, which is 1000 by default. By modifying the HISTSIZE variable value in the / etc/profile file, you can affect all users in the system

[root@lpf ~]# vi ~/.bash_ profile ............ export TMOUT=600 ා set to automatically cancel the account after 600 seconds [ root@lpf ~]#VI / etc / profile for users not created, use this command to modify the configuration file Omit part of Change HISTSIZE=1000 to HISTSIZE=200 [ root@lpf ~]#Export histsize = 200 ා this command is applicable to the current user, with timely effect 'after editing the / etc/profile file, you need to use the command source /etc/profile or reboot it to make it effective' 1.2 user switching and rights raising

Most Linux servers do not recommend that users log in directly as root.

On the one hand, it can greatly reduce the damage caused by misoperation

On the other hand, it also reduces the risk of the privileged password being leaked in the insecure network

su, sudo two commands

su command is mainly used to switch users

sudo command is used to enhance execution permission

1.2.1: su command - switch user
  1. With the su command, you can switch to another specified user, thus having all the permissions of that user

The password of the target user needs to be verified when switching (not required to switch from root to other users)

su command basic format (Substitute User) su - target user [ root@localhost ~]#Su - Lisi - switching from root to another user does not require a password ' [ lisi@localhost ~]$Su - root - password required to switch from other users to root ' In the above operations, "-" is equivalent to "- login" "- l", which means to enter the login shell environment of the target user after switching. If this option is missing, only the identity will be switched, and the user environment will not be switched [tom@lpf opt]$ su root password: [ root@lpf Opt] ා exit ා switch to root, but keep the current shell environment exit [ tom@lpf Opt] $Su - root - switch to the shell environment of the new account password: Last login: one June 22 18:47:39 CST 2020pts/0 [root@lpf ~]#
  1. Restrict users to su commands

Add users who are allowed to use the su command to the wheel group

[root@lpf ~]# gpasswd -a radmin wheel #Add users to the wheel group //Adding user 'radmin' to the 'wheel' group [root@lpf ~]# grep wheel /etc/group wheel:x:10:radmin [root@lpf ~]# vi /etc/pam.d/su #Enable the pam-WHEEL authentication module #%PAM-1.0 auth sufficient pam_rootok.so Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid #note off auth substack system-auth auth include postlogin [root@lpf ~]# su lpf [lpf@lpf root]$ su radmin //password: su: Deny permission [lpf@lpf root]$ su root //password: su: Deny permission
1.3: PAM security authentication in Linux 1.3.1:su command security risks
  • By default, any user is allowed to use the su command, so there is an opportunity to repeatedly try other users' login passwords, which brings risks

    With PAM_ The wheel authentication module can implement the su command for the specified permitted users

1.3.2 principle of PAM certification

1) PAM (Pluggable Authentication Modules) pluggable authentication module is an efficient, flexible and convenient user level authentication mode, which is also widely used in current Linux servers
2) PAM authentication generally follows the order: Service → PAM (configuration file) → pam_*.so (. So suffix represents module file)
3) PAM authentication first determines which service, then loads the corresponding PAM configuration file (located under /etc/pam.d), and finally calls the authentication file (located under /lib/security) for security authentication.
4) When users access the server, a service program of the server sends users' different requests to PAM module for authentication
5) Different applications have different PAM modules

1.3.3 composition of PAM certification

To check whether a program supports PAM authentication, you can use ls command, for example, to check whether su supports PAM module authentication

[root@lpf ~]# ls /etc/pam.d | grep su

Check the PAM configuration file of Su: cat /etc/pam.d/su

Each line is an independent authentication process

Each line can be divided into three fields (authentication type, control type, PAM module and its parameters)

There are four types of PAM authentication: authentication management, account management, password management and session management

1.3.4: PAM safety certification process

1.4: use sudo mechanism to enhance permissions 1.4.1: disadvantages of su command

It is very convenient to switch to another user after using su command, but only if you know the login password of the target user
For Linux servers in the production environment, the security risk increases by one point for each additional person who knows the privileged password

1.4.2: use and usage of sudo command

Purpose: to execute authorized commands as other users (such as root)

Usage: sudo + authorization command

1.4.3: configure sudo authorization

vi sudo or vi /etc/sudoers: the configuration file of sudo mechanism is / etc/sudoers, and the default permission of the file is 440, which needs to be edited by special visudo tools. If you edit with vi, you must execute ": w!" when saving Command to force the operation, otherwise the system will prompt for read-only file and refuse to save

[root@lpf ~]# visudo zhangsan localhost=/sbin/useradd,/bin/passwd,!/sbin/ifconfig %wheel ALL=(ALL) NOPASSWD: ALL User host name list = command program list *: general symbols ! : reverse symbol %: representative group 1.4.4: sudo experiment
Experiment 1 [root@lpf ~]# id tom uid=1005(tom) gid=1005(tom) group=1005(tom) [root@lpf ~]# id radmin uid=1004(radmin) gid=1004(radmin) group=1004(radmin) [root@lpf ~]# vi /etc/sudoers tom lpf=/sbin/*,!/sbin/ifconfig radmin lpf=/sbin/ifconfig %wheel ALL=(ALL) NOPASSWD: ALL [root@lpf ~]# su tom [tom@lpf root]$ sudo ifconfig ens33:2 192.168.200.10/24 [sudo] tom Password for: //Sorry, user tom is not authorized to execute / sbin/ifconfig ens33:2 192.168.200.10/24 on lpf as root. [root@lpf ~]# su radmin [radmin@lpf root]$ sudo ifconfig ens33:2 192.168.200.10/24 [sudo] radmin Password for: [radmin@lpf root]$ ifconfig ens33:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.200.10 netmask 255.255.255.0 broadcast 192.168.200.255 ether 00:0c:29:2f:0b:bb txqueuelen 1000 (Ethernet) //Experiment 2 [root@lpf ~]# visudo ## Allow root to run any commands anywhere root ALL=(ALL) ALL tom ALL=(ALL) ALL #Give tom administrator permission #tom lpf=/sbin/*,!/sbin/ifconfig radmin lpf=/sbin/ifconfig [tom@lpf root]$ sudo ifconfig ens33:3 192.168.200.20/24 ens33:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.200.20 netmask 255.255.255.0 broadcast 192.168.200.25
1.4.5: View sudo operation records
  • View sudo operation records

    Default logfile configuration needs to be enabled

    Default log file / var/log/sudo

    [root@lpf ~]# vi sudo 'vi sudo profile' //Add in profile Defaults logfile = "/var/log/sudo" 'Add it to the profile' [root@lpf ~]# su - tom 'switch to tom user' [wangwu@lpf ~]$ sudo ifconfig ens33 22.22.22.22 'Do an operation to see if the log file will be recorded' [sudo] tom Password for: [root@lpf ~]# cat /var/log/sudo 'view log file' COMMAND=/sbin/ifconfig ens33 22.22.22.22 'The operation just shown in it'
2: System boot and login control 2.1: switch safety control 2.1.1: adjust BIOS boot settings

Set the first boot device as the hard disk of the current system
Do not boot the system from other devices (CD, U SB, network)
Set the security level to setup and set the administrator password

2.1.2: GRUB limit

Use grub2-mkpasswd-pbkdf2 to generate secret key
Modify / etc / grub.d/00_ In the header file, add the password record
Generate new grub.cfg configuration file

2.1.3: experiment process
[root@lpf ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak #Backup grub profile [root@lpf ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak #Add / etc / grub.d/00_ Back up the header file [root@lpf ~]# grub2-setpasswd #Start encrypting your own password //Enter password: ා for example, enter 123123 Reenter password: #Repeat 123123 [root@lpf ~]#cat /boot/grub2/user.cfg #Check whether the password is added [root@lpf ~]# reboot #Press e to verify GRUB password after restart
2.2: terminal login security control 2.2.1: restrict root to log in only at the security terminal
  • Security terminal configuration / etc/securetty

    [ root@localhost ~]#VIM / etc / securetty "enter terminal configuration"
    ... Omit part of the content
    vc/9
    vc/10
    vc/11
    tty1
    #Tty2 "forbid terminal tty2 to log in, and input" no "in front of it."
    #Tty3 "forbid terminal tty3 to log in, and input" no "in front of it."
    tty4
    tty5
    tty6
    tty7
    ... Omit part of the content

    Add tty

    tty: general term for terminal equipment.

    tty originated from Teletypes, or Teletypes, originally refers to teletypewriters, which read and send information through printer keyboard through serial line. Later, it was replaced by keyboard and display, so it is more suitable to call terminal now. Terminal is a kind of character type equipment, which has many types. tty is usually used to abbreviate various types of terminal equipment.

    tty1-6 is text console and tty7 is X Window graphic display manager.

    On the local machine, you can use Ctrl+Alt+F1 (F1-F7) to switch to the corresponding login console.

    2.2.2: normal users are not allowed to log in
    • Create / etc/nologin file

    • Delete nologin file or restore to normal after restart

      [ root@lpf ~]#Touch / etc / nologin 'Disable normal user login' [ root@lpf ~]#RM - RF / etc / nologin 'remove the above login restrictions' "Usually used for maintenance (only root user can log in, other users can't log in)" for example [root@lpf ~]# touch /etc/nologin At this time, use other users to log in. Even if the password is entered correctly, it will prompt that the password does not work, so the user cannot log in. Only root can log in [root@lpf ~]#rm -rf /etc/nologin At this time, after removing the previous login restriction, other users can log in normally
3, Weak password detection 3.1: joint the Ripper, referred to as JR
  • A cryptanalysis tool that supports dictionary style brute force cracking
  • Through password analysis of shadow file, password strength can be detected
  • If you need resources, you can do it yourself
3.2: weak password experiment: check your password through john tool
[root@lpf ~]# cd /opt #Upload software to / opt [root@lpf opt]# ll //Total consumption 5324 -rw-r--r--. 1 root root 5450412 6 22 23:59 john-1.8.0.tar.gz drwxr-xr-x. 3 root root 16 6 October 09:09 opt drwxr-xr-x. 2 root root 6 10 31 / 2018 rh [root@lpf opt]# tar zxvf john-1.8.0.tar.gz [root@lpf opt]# cd john-1.8.0 [root@lpf john-1.8.0]# ll //Total dosage 4 drwxr-xr-x. 2 root root 208 6 23:00:00 doc lrwxrwxrwx. 1 root root 10 5 30 / 2013 README -> doc/README drwxr-xr-x. 2 root root 143 6 23:00:00 run drwxr-xr-x. 2 root root 4096 6 23:00:00 src [root@lpf john-1.8.0]# cd src [root@lpf src]# make clean linux-x86-64 [root@lpf run]# ll ...... -rwxr-xr-x. 1 root root 283184 6 23:00:03 john #Confirm that the executable program john has been generated [root@lpf src]# cd .. [root@lpf john-1.8.0]# ll //Total consumption 8 drwxr-xr-x. 2 root root 208 6 23:00:00 doc lrwxrwxrwx. 1 root root 10 5 30 / 2013 README -> doc/README drwxr-xr-x. 2 root root 198 6 23:00:03 run drwxr-xr-x. 2 root root 4096 6 23:00:03 src [root@lpf john-1.8.0]# cd run [root@lpf run]# cp /etc/shadow /root/shadow.txt #Prepare password file to be cracked [root@lpf run]# ./john /root/shadow.txt Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (radmin) 123456 (tom) 123456 (root) 123456 (lpf) 4g 0:00:00:28 100% 2/3 0.1418g/s 417.2p/s 427.4c/s 427.4C/s 123456..pepper Use the "--show" option to display all of the cracked passwords reliably Session completed [root@lpf run]# ./john --show /root/shadow.txt #View password root:123456::0:99999:7::: lpf:123456::0:99999:7::: radmin:123456:18435:0:30:7::: tom:123456:18435:0:30:7::: 4 password hashes cracked, 0 left [root@lpf run]# ./john --w:/root/passwd.lst /root/shadow.txt Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64]) No password hashes left to crack (see FAQ) #If there is a bug, delete the cracked password and then crack it [root@lpf run]# vi john.pot #100dd delete [root@lpf run]# ./john --wordlist=./password.lst /root/shadow.txt Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (radmin) 123456 (tom) 123456 (root) 123456 (lpf) 4g 0:00:00:00 100% 4.395g/s 105.4p/s 421.9c/s 421.9C/s 123456..pepper Use the "--show" option to display all of the cracked passwords reliably Session completed
4: Port scan 4.1: NMAP

A powerful network scanning and security detection tool

It can detect which hosts in the LAN are online, or which ports are opened in a host

Scan syntax for NMAP

nmap [scan type] [options] < scan target >

Common scan types

-sS,-sT,-sF,-sU,-sP,-P0

-sT: TCP port

-sU: UDP port

-sP: ping

4.2: nmap experiment
[root@lpf run]# rpm -q nmap //Package nmap is not installed [root@lpf run]# yum install nmap -y ...Omitted here [root@lpf run]# nmap -sP 20.0.0.0/24 #Check which hosts are online in the 20.0.0.0 network segment Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-23 00:40 CST Nmap scan report for 20.0.0.1 Host is up (0.00052s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 20.0.0.2 Host is up (0.00014s latency). MAC Address: 00:50:56:E9:D3:80 (VMware) Nmap scan report for 20.0.0.41 Host is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 2.09 seconds [root@lpf run]# nmap -sT 20.0.0.41 #Check which tcp ports are open in 20.0.0.41 Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-23 00:41 CST Nmap scan report for 20.0.0.41 Host is up (0.00092s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 6000/tcp open X11 Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
5, Exercise:

  1. Only user radmin is allowed to use su command
[root@lpf ~]# useradd radmin [root@lpf ~]# passwd radmin Change the password of user radmin. New password: Invalid password: password is less than 8 characters Reenter new password: passwd: all authentication tokens have been successfully updated. [root@lpf ~]# gpasswd -a radmin wheel Adding user 'radmin' to the 'wheel' group [root@lpf ~]# grep wheel /etc/group wheel:x:10:radmin [root@lpf ~]# vi /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_ wheel.so use_ Uid - uncomment auth substack system-auth auth include postlogin [root@lpf ~]# su lpf [lpf@lpf root]$ su radmin password: su: deny permission [lpf@lpf root]$ su root password: su: deny permission
  1. Allow user zhangsan to manage employee account through sudo
[root@lpf ~]# visudo zhangsan ALL=(ALL) NOPASSWD: ALL %wheel ALL=(ALL) NOPASSWD: ALL
  1. Allow user lisi account to execute privileged command through sudu
[root@lpf ~]# vi /etc/sudoers lisi localhost=/sbin/ifconfig #Format user machine = commands
  1. Record Su and sudo operations and make simple system security settings

    By default, actions performed in sudo mode are not recorded. To enable sudo logging, add the "Defaults logfile" option to the / etc / suppliers file.

    As follows: add sudo logging function

    [root@lpf lpf]# vi /etc/sudoers Defaults logfile="/var/log/sudo" Defaults logfile="/var/log/su"
    [root@lpf ~]# vi /etc/profile HISTSIZE=200 #Default 1000, set 200 to reduce the number of commands in history
    [root@lpf ~]# vi ~/.bash_logout # ~/.bash_logout history -c #Exit account history command clear
    [root@lpf ~]# vi ~/.bash_profile export PATH export TMOUT=600 #Add settings for 600 seconds, and automatically log out after 600 seconds of inactivity
    [root@lpf ~]# vi /etc/login.defs # Use SHA512 to encrypt password. ENCRYPT_METHOD SHA512 PASS_MAX_DAYS 30 #Set password validity for 30 days
  2. Disable Ctrl + Alt + Del shortcut key, and prevent root user from logging in from tty5, tty6
    [root@lpf ~]# vim /etc/securetty tty4 #tty5 #tty6 tty7 tty8
  3. Enable password restriction for GRUB boot menu
[root@lpf ~]# grub2-setpassword Enter password: #Input 123456 Confirm password: #Input 123456 [root@lpf ~]# cat /boot/grub2/user.cfg #Check whether the password is added GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.1A32A17287DE9542A66EF5629975A9DA5BA2BB4D5554B10DA0F410BC911264A640ADD82574A9F5A0AF2A840239516A3F31685BA69F6270D5901022131C6B879F.89AC4391BFD9425A11FE6E4FD373BE91F40F7E5581857C9E76F6720FABF121F13A6CF586F00DF817B0E5FD8961266AE0DEB056131FC443D4F98E06313680CEF8zha [root@lpf ~]# reboot #Press e to obtain GRUB editing permission and enter root 123456 for verification

24 June 2020, 23:16 | Views: 3372

Add new comment

For adding a comment, please log in
or create account

0 comments