Linux system security management

Article catalog

• 1, Account security control
• 1.1: basic measures for account security
• 1.1.1: system account cleaning
• 1.1.2: password security control
• 1.1.3: command history, automatic logout
• 1.2 user switching and rights raising
• 1.2.1: su command - switch user
• 1.3: PAM security authentication in Linux
• 1.3.1: safety hazards of su command
• 1.3.2 principle of PAM certification
• 1.3.3 composition of PAM certification
• 1.3.4: PAM safety certification process
• 1.4: use sudo mechanism to enhance permissions
• 1.4.1: disadvantages of su command
• 1.4.2: use and usage of sudo command
• 1.4.3: configure sudo authorization
• 1.4.4: sudo experiment
• 1.4.5: View sudo operation records
• 2: System boot and login control
• 2.1: switch safety control
• 2.1.1: adjust BIOS boot settings
• 2.1.2: GRUB limit
• 2.1.3: experiment process
• 2.2: terminal login security control
• 2.2.1: restrict root to log in only at the security terminal
• Add tty
• 2.2.2: normal users are not allowed to log in
• 3, Weak password detection
• 3.1: joint the Ripper, referred to as JR
• 3.2: weak password experiment: check your password through john tool
• 4: Port scan
• 4.1: NMAP
• 4.2: nmap experiment
• 5, Exercise:
• Only user radmin is allowed to use su command
• Allow user zhangsan to manage employee account through sudo
• Allow user lisi account to execute privileged command through sudu
• Record Su and sudo operations and make simple system security settings
• Disable Ctrl + Alt + Del shortcut key, and prevent root user from logging in from tty5, tty6
• Enable password restriction for GRUB boot menu

● set the Shell of non login user to / sbin/nologin

[root@lpf ~]# grep "/sbin/nologin$" /etc/passwd #View non logged in users' bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin ...Omit part of the content [root@lpf ~]# grep "bash$" /etc/passwd #View currently logged in users' [root@lpf ~]# vi /etc/passwd

● lock accounts that are not used for a long time

[root@lpf ~]# useradd tom [root@lpf ~]# passwd tom passwd: All authentication tokens have been successfully updated. [root@lpf ~]# usermod -L tom [root@lpf ~]# passwd -S tom tom LK 2020-06-22 0 99999 7 -1 (The password is locked.) [root@lpf ~]# usermod -U tom [root@lpf ~]# passwd -S tom tom PS 2020-06-22 0 99999 7 -1 (Password set, use SHA512 Algorithm.) [root@lpf ~]# usermod -L tom [root@lpf ~]# vi /etc/shadow tom:!$6$ewqXSVmV$nWbW74WqfC110ty8nz48c7SZw.rXUqWfgZmLJitEILuquAv9ESfqu1bR6MJYr03eHClD5qyUfhNmeMjXpB5BG/:18435:0:30:7::: #Password placeholder is! , unable to log in //Put it! Get rid of it and you can log out [root@lpf ~]# passwd -S tom tom PS 2020-06-22 0 30 7 -1 (Password set, use SHA512 Algorithm.) #Display unlocked

● delete useless account

Some of the non login users are rarely used, such as news, uucp, games, gopher, etc. These users can be regarded as redundant accounts and can be deleted directly

In addition, there are some user accounts installed with the application program. If the program fails to be automatically deleted after uninstallation, it needs to be manually deleted

[root@lpf ~]# userdel -r tom #Delete user and home directory

● lock account files passwd and shadow
[ root@localhost ~]#Chat + I / etc / passwd / etc / shadow
[ root@localhost ~]#Isattr / etc / passwd / etc / shadow ා lock the file and view the status

[root@lpf ~]# chattr +i /etc/passwd /etc/shadow [root@lpf ~]# lsattr /etc/passwd /etc/shadow ----i----------- /etc/passwd ----i----------- /etc/shadow [root@lpf ~]# chattr -i /etc/passwd /etc/shadow #File unlocking [root@lpf ~]# lsattr /etc/passwd /etc/shadow --------------- /etc/passwd --------------- /etc/shadow

● set password validity period
● require the user to change the password at the next login

[root@lpf ~]# vi /letc/profile HISTSIZE=200 [root@lpf ~]# vi ~/.bash_ logout #Auto clear history command after account exit history -C clear

Command history limit

Reduce the number of recorded commands: in bash terminal environment, the number of historical command records is controlled by the variable HISTSIZE, which is 1000 by default. By modifying the HISTSIZE variable value in the / etc/profile file, you can affect all users in the system

Most Linux servers do not recommend that users log in directly as root.

On the one hand, it can greatly reduce the damage caused by misoperation

On the other hand, it also reduces the risk of the privileged password being leaked in the insecure network

su, sudo two commands

su command is mainly used to switch users

sudo command is used to enhance execution permission

1. With the su command, you can switch to another specified user, thus having all the permissions of that user

The password of the target user needs to be verified when switching (not required to switch from root to other users)

1. Restrict users to su commands

Add users who are allowed to use the su command to the wheel group

[root@lpf ~]# gpasswd -a radmin wheel #Add users to the wheel group //Adding user 'radmin' to the 'wheel' group [root@lpf ~]# grep wheel /etc/group wheel:x:10:radmin [root@lpf ~]# vi /etc/pam.d/su #Enable the pam-WHEEL authentication module #%PAM-1.0 auth sufficient pam_rootok.so Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid #note off auth substack system-auth auth include postlogin [root@lpf ~]# su lpf [lpf@lpf root]$ su radmin //password: su: Deny permission [lpf@lpf root]$ su root //password: su: Deny permission

• By default, any user is allowed to use the su command, so there is an opportunity to repeatedly try other users' login passwords, which brings risks

  With PAM_ The wheel authentication module can implement the su command for the specified permitted users

1) PAM (Pluggable Authentication Modules) pluggable authentication module is an efficient, flexible and convenient user level authentication mode, which is also widely used in current Linux servers
2) PAM authentication generally follows the order: Service → PAM (configuration file) → pam_*.so (. So suffix represents module file)
3) PAM authentication first determines which service, then loads the corresponding PAM configuration file (located under /etc/pam.d), and finally calls the authentication file (located under /lib/security) for security authentication.
4) When users access the server, a service program of the server sends users' different requests to PAM module for authentication
5) Different applications have different PAM modules

To check whether a program supports PAM authentication, you can use ls command, for example, to check whether su supports PAM module authentication

[root@lpf ~]# ls /etc/pam.d | grep su

Check the PAM configuration file of Su: cat /etc/pam.d/su

Each line is an independent authentication process

Each line can be divided into three fields (authentication type, control type, PAM module and its parameters)

There are four types of PAM authentication: authentication management, account management, password management and session management

It is very convenient to switch to another user after using su command, but only if you know the login password of the target user
For Linux servers in the production environment, the security risk increases by one point for each additional person who knows the privileged password

Purpose: to execute authorized commands as other users (such as root)

Usage: sudo + authorization command

vi sudo or vi /etc/sudoers: the configuration file of sudo mechanism is / etc/sudoers, and the default permission of the file is 440, which needs to be edited by special visudo tools. If you edit with vi, you must execute ": w!" when saving Command to force the operation, otherwise the system will prompt for read-only file and refuse to save

Experiment 1 [root@lpf ~]# id tom uid=1005(tom) gid=1005(tom) group=1005(tom) [root@lpf ~]# id radmin uid=1004(radmin) gid=1004(radmin) group=1004(radmin) [root@lpf ~]# vi /etc/sudoers tom lpf=/sbin/*,!/sbin/ifconfig radmin lpf=/sbin/ifconfig %wheel ALL=(ALL) NOPASSWD: ALL [root@lpf ~]# su tom [tom@lpf root]$ sudo ifconfig ens33:2 192.168.200.10/24 [sudo] tom Password for: //Sorry, user tom is not authorized to execute / sbin/ifconfig ens33:2 192.168.200.10/24 on lpf as root. [root@lpf ~]# su radmin [radmin@lpf root]$ sudo ifconfig ens33:2 192.168.200.10/24 [sudo] radmin Password for: [radmin@lpf root]$ ifconfig ens33:2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.200.10 netmask 255.255.255.0 broadcast 192.168.200.255 ether 00:0c:29:2f:0b:bb txqueuelen 1000 (Ethernet) //Experiment 2 [root@lpf ~]# visudo ## Allow root to run any commands anywhere root ALL=(ALL) ALL tom ALL=(ALL) ALL #Give tom administrator permission #tom lpf=/sbin/*,!/sbin/ifconfig radmin lpf=/sbin/ifconfig [tom@lpf root]$ sudo ifconfig ens33:3 192.168.200.20/24 ens33:3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.200.20 netmask 255.255.255.0 broadcast 192.168.200.25

• View sudo operation records

  Default logfile configuration needs to be enabled

  Default log file / var/log/sudo

  [root@lpf ~]# vi sudo 'vi sudo profile' //Add in profile Defaults logfile = "/var/log/sudo" 'Add it to the profile' [root@lpf ~]# su - tom 'switch to tom user' [wangwu@lpf ~]$ sudo ifconfig ens33 22.22.22.22 'Do an operation to see if the log file will be recorded' [sudo] tom Password for: [root@lpf ~]# cat /var/log/sudo 'view log file' COMMAND=/sbin/ifconfig ens33 22.22.22.22 'The operation just shown in it'

Set the first boot device as the hard disk of the current system
Do not boot the system from other devices (CD, U SB, network)
Set the security level to setup and set the administrator password

Use grub2-mkpasswd-pbkdf2 to generate secret key
Modify / etc / grub.d/00_ In the header file, add the password record
Generate new grub.cfg configuration file

[root@lpf ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak #Backup grub profile [root@lpf ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak #Add / etc / grub.d/00_ Back up the header file [root@lpf ~]# grub2-setpasswd #Start encrypting your own password //Enter password: ා for example, enter 123123 Reenter password: #Repeat 123123 [root@lpf ~]#cat /boot/grub2/user.cfg #Check whether the password is added [root@lpf ~]# reboot #Press e to verify GRUB password after restart

• Security terminal configuration / etc/securetty

  [ root@localhost ~]#VIM / etc / securetty "enter terminal configuration"
  ... Omit part of the content
  vc/9
  vc/10
  vc/11
  tty1
  #Tty2 "forbid terminal tty2 to log in, and input" no "in front of it."
  #Tty3 "forbid terminal tty3 to log in, and input" no "in front of it."
  tty4
  tty5
  tty6
  tty7
  ... Omit part of the content

  Add tty

  tty: general term for terminal equipment.

  tty originated from Teletypes, or Teletypes, originally refers to teletypewriters, which read and send information through printer keyboard through serial line. Later, it was replaced by keyboard and display, so it is more suitable to call terminal now. Terminal is a kind of character type equipment, which has many types. tty is usually used to abbreviate various types of terminal equipment.

  tty1-6 is text console and tty7 is X Window graphic display manager.

  On the local machine, you can use Ctrl+Alt+F1 (F1-F7) to switch to the corresponding login console.

  2.2.2: normal users are not allowed to log in

  • Create / etc/nologin file

  • Delete nologin file or restore to normal after restart

    [ root@lpf ~]#Touch / etc / nologin 'Disable normal user login' [ root@lpf ~]#RM - RF / etc / nologin 'remove the above login restrictions' "Usually used for maintenance (only root user can log in, other users can't log in)" for example [root@lpf ~]# touch /etc/nologin At this time, use other users to log in. Even if the password is entered correctly, it will prompt that the password does not work, so the user cannot log in. Only root can log in [root@lpf ~]#rm -rf /etc/nologin At this time, after removing the previous login restriction, other users can log in normally

• A cryptanalysis tool that supports dictionary style brute force cracking
• Through password analysis of shadow file, password strength can be detected
• If you need resources, you can do it yourself

[root@lpf ~]# cd /opt #Upload software to / opt [root@lpf opt]# ll //Total consumption 5324 -rw-r--r--. 1 root root 5450412 6 22 23:59 john-1.8.0.tar.gz drwxr-xr-x. 3 root root 16 6 October 09:09 opt drwxr-xr-x. 2 root root 6 10 31 / 2018 rh [root@lpf opt]# tar zxvf john-1.8.0.tar.gz [root@lpf opt]# cd john-1.8.0 [root@lpf john-1.8.0]# ll //Total dosage 4 drwxr-xr-x. 2 root root 208 6 23:00:00 doc lrwxrwxrwx. 1 root root 10 5 30 / 2013 README -> doc/README drwxr-xr-x. 2 root root 143 6 23:00:00 run drwxr-xr-x. 2 root root 4096 6 23:00:00 src [root@lpf john-1.8.0]# cd src [root@lpf src]# make clean linux-x86-64 [root@lpf run]# ll ...... -rwxr-xr-x. 1 root root 283184 6 23:00:03 john #Confirm that the executable program john has been generated [root@lpf src]# cd .. [root@lpf john-1.8.0]# ll //Total consumption 8 drwxr-xr-x. 2 root root 208 6 23:00:00 doc lrwxrwxrwx. 1 root root 10 5 30 / 2013 README -> doc/README drwxr-xr-x. 2 root root 198 6 23:00:03 run drwxr-xr-x. 2 root root 4096 6 23:00:03 src [root@lpf john-1.8.0]# cd run [root@lpf run]# cp /etc/shadow /root/shadow.txt #Prepare password file to be cracked [root@lpf run]# ./john /root/shadow.txt Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (radmin) 123456 (tom) 123456 (root) 123456 (lpf) 4g 0:00:00:28 100% 2/3 0.1418g/s 417.2p/s 427.4c/s 427.4C/s 123456..pepper Use the "--show" option to display all of the cracked passwords reliably Session completed [root@lpf run]# ./john --show /root/shadow.txt #View password root:123456::0:99999:7::: lpf:123456::0:99999:7::: radmin:123456:18435:0:30:7::: tom:123456:18435:0:30:7::: 4 password hashes cracked, 0 left [root@lpf run]# ./john --w:/root/passwd.lst /root/shadow.txt Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64]) No password hashes left to crack (see FAQ) #If there is a bug, delete the cracked password and then crack it [root@lpf run]# vi john.pot #100dd delete [root@lpf run]# ./john --wordlist=./password.lst /root/shadow.txt Loaded 4 password hashes with 4 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (radmin) 123456 (tom) 123456 (root) 123456 (lpf) 4g 0:00:00:00 100% 4.395g/s 105.4p/s 421.9c/s 421.9C/s 123456..pepper Use the "--show" option to display all of the cracked passwords reliably Session completed

A powerful network scanning and security detection tool

It can detect which hosts in the LAN are online, or which ports are opened in a host

Scan syntax for NMAP

nmap [scan type] [options] < scan target >

Common scan types

-sS，-sT，-sF，-sU，-sP，-P0

-sT: TCP port

-sU: UDP port

-sP: ping

[root@lpf run]# rpm -q nmap //Package nmap is not installed [root@lpf run]# yum install nmap -y ...Omitted here [root@lpf run]# nmap -sP 20.0.0.0/24 #Check which hosts are online in the 20.0.0.0 network segment Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-23 00:40 CST Nmap scan report for 20.0.0.1 Host is up (0.00052s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 20.0.0.2 Host is up (0.00014s latency). MAC Address: 00:50:56:E9:D3:80 (VMware) Nmap scan report for 20.0.0.41 Host is up. Nmap done: 256 IP addresses (3 hosts up) scanned in 2.09 seconds [root@lpf run]# nmap -sT 20.0.0.41 #Check which tcp ports are open in 20.0.0.41 Starting Nmap 6.40 ( http://nmap.org ) at 2020-06-23 00:41 CST Nmap scan report for 20.0.0.41 Host is up (0.00092s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 6000/tcp open X11 Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

1. Only user radmin is allowed to use su command

1. Allow user zhangsan to manage employee account through sudo

[root@lpf ~]# visudo zhangsan ALL=(ALL) NOPASSWD: ALL %wheel ALL=(ALL) NOPASSWD: ALL

1. Allow user lisi account to execute privileged command through sudu

[root@lpf ~]# vi /etc/sudoers lisi localhost=/sbin/ifconfig #Format user machine = commands

1. Record Su and sudo operations and make simple system security settings

   By default, actions performed in sudo mode are not recorded. To enable sudo logging, add the "Defaults logfile" option to the / etc / suppliers file.

   As follows: add sudo logging function

   [root@lpf lpf]# vi /etc/sudoers Defaults logfile="/var/log/sudo" Defaults logfile="/var/log/su"

   [root@lpf ~]# vi /etc/profile HISTSIZE=200 #Default 1000, set 200 to reduce the number of commands in history

   [root@lpf ~]# vi ~/.bash_logout # ~/.bash_logout history -c #Exit account history command clear

   [root@lpf ~]# vi ~/.bash_profile export PATH export TMOUT=600 #Add settings for 600 seconds, and automatically log out after 600 seconds of inactivity

   [root@lpf ~]# vi /etc/login.defs # Use SHA512 to encrypt password. ENCRYPT_METHOD SHA512 PASS_MAX_DAYS 30 #Set password validity for 30 days

2. Disable Ctrl + Alt + Del shortcut key, and prevent root user from logging in from tty5, tty6

   [root@lpf ~]# vim /etc/securetty tty4 #tty5 #tty6 tty7 tty8

3. Enable password restriction for GRUB boot menu

[root@lpf ~]# grub2-setpassword Enter password: #Input 123456 Confirm password: #Input 123456 [root@lpf ~]# cat /boot/grub2/user.cfg #Check whether the password is added GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.1A32A17287DE9542A66EF5629975A9DA5BA2BB4D5554B10DA0F410BC911264A640ADD82574A9F5A0AF2A840239516A3F31685BA69F6270D5901022131C6B879F.89AC4391BFD9425A11FE6E4FD373BE91F40F7E5581857C9E76F6720FABF121F13A6CF586F00DF817B0E5FD8961266AE0DEB056131FC443D4F98E06313680CEF8zha [root@lpf ~]# reboot #Press e to obtain GRUB editing permission and enter root 123456 for verification

24 June 2020, 23:16 | Views: 3213