System security and Application

[root@localhost ~]# usermod -s /sbin/nologin
 Usage: usermod [option] Sign in

Options:
  -c, --comment notes            GECOS New value for field
  -d, --home HOME_DIR           User's new home directory
  -e, --expiredate EXPIRE_DATE  Set the account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       be overdue INACTIVE After days, set the password to invalid status
  -g, --gid GROUP               Mandatory use GROUP Create a new master group
  -G, --groups GROUPS           New additional group list GROUPS
  -a, --append GROUP            Append user to top -G In the additional groups mentioned in,
                                This user is not deleted from other groups
  -h, --help                    Show this help and launch
  -l, --login LOGIN             New login name
  -L, --lock                    Lock user account
  -m, --move-home               Move home directory contents to a new location (Only -d Use together)
  -o, --non-unique              Allow duplicate(Non unique) UID
  -p, --password PASSWORD       The encrypted password (PASSWORD) Set as new password
  -R, --root CHROOT_DIR         chroot Directory to
  -s, --shell SHELL             New login for this user account shell
  -u, --uid UID                 New user account UID
  -U, --unlock                  Unlock user account
  -Z, --selinux-user  SEUSER       New user account SELinux User mapping

[root@localhost ~]# usermod -L zhangsan
[root@localhost ~]# passwd -S
passwd: This option requires a user name.
[root@localhost ~]# passwd -S zhangsan
zhangsan LK 1969-12-31 0 99999 7 -1 (The password is locked.)

Lock account file

[root@localhost ~]# chattr +i /etc/passwd /etc/shadow
[root@localhost ~]# lsattr /etc/passwd /etc/shadow
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# useradd liwui
useradd: Cannot open /etc/passwd

Create a user and set the password

[root@localhost ~]# useradd lisi
[root@localhost ~]# passwd lisi
 Change user lisi Your password.
New password:
Re enter the new password:
passwd: All authentication tokens have been successfully updated.

1.2 password security control
Set password validity
Require the user to change the password at the next login
[ root@localhost ~]#VI / etc / login.defs -- for new users
...
PASS_MAX_DAYS 30
[root@localhost~]# chage -M 30 zhangsan

[root@localhost ~]# chage -M 30 zhangsan
[root@localhost ~]# ls
anaconda-ks.cfg  initial-setup-ks.cfg  Public template video picture document download music desktop
[root@localhost ~]# ll
 Total consumption 8
-rw-------. 1 root root 2044 9 June 14-23:11 anaconda-ks.cfg
-rw-r--r--. 1 root root 2092 9 June 14-23:12 initial-setup-ks.cfg
drwxr-xr-x. 2 root root    6 9 June 14-23:12 public
drwxr-xr-x. 2 root root    6 9 June 14-23:12 Template
drwxr-xr-x. 2 root root    6 9 June 14-23:12 video
drwxr-xr-x. 2 root root    6 9 June 14-23:12 picture
drwxr-xr-x. 2 root root    6 9 June 14-23:12 file
drwxr-xr-x. 2 root root    6 9 June 14-23:12 download
drwxr-xr-x. 2 root root    6 9 June 14-23:12 music
drwxr-xr-x. 2 root root    6 9 June 14-23:12 desktop


1.3 command history restrictions
Reduce the number of recorded commands
Automatically clear command history on logout
Terminal automatic logoff
Automatically log off after 600 seconds of inactivity
[root@localhost~]# vi /etc/profile
HISTSIZE=200
[root@localhost~]# vi ~/.bashrc
echo""> ~/.bash_history
[root@localhost~]# vi /.bash_profile
...
export TMOUT=600

Automatic clear history command on logout

[root@localhost ~]# vim .bashrc
[root@localhost ~]# source .bashrc 
[root@localhost ~]# history 
    1  vim /etc/sysconfig/network-scripts/ifcfg-ens
    2  vim /etc/sysconfig/network-scripts/ifcfg-ens33
    3  ping 192.168.157.101
    4  vim /etc/sysconfig/network-scripts/ifcfg-ens33
    5  ping 192.168.157.102
    6  vim /etc/sysconfig/network-scripts/ifcfg-ens33
    7  ping 192.168.157.101
    8  vim /etc/sysconfig/network-scripts/ifcfg-ens33
    9  ping 192.168.157.101
   10  vim /etc/ sysconfig/ network-scripts/ifcfg-ens33
   11  vim /etc/sysconfig/network-scripts/ifcfg-ens33
   12  ping 192.168.157.101
   13  vim /etc/sysconfig/network-scripts/ifcfg-ens33
   14  ping 192.168.157.100
   15  ping 192.168.157.2
   16  ping 192.168.157.101
   17  vim /etc/sysconfig/network-scripts/ifcfg-ens33
   18  ping 192.168.157.101
   19  vim /etc/sysconfig/network-scripts/ifcfg-ens33
   20  ping 192.168.157.107
   21  vim /etc/sysconfig/network-scripts/ifcfg-ens33
   22  ping 192.168.157.101
   23  systemctl restart network
   24  vim /etc/sysconfig/network-scripts/ifcfg-ens33
   25  ping 192.168.157.101
   26  systemctl stop firewalld.service 
   27  setenforce 0
   28  vim .bashrc
   29  source .bashrc 
   30  cat bash_history
   31  history 

Just restart it

[root@localhost ~]# reboot
Connection closing...Socket close.

Connection closed by foreign host.

Disconnected from remote host(centOS7-1) at 16:29:31.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ 

Connecting to 192.168.157.101:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Fri Sep 17 16:30:13 2021
[root@localhost ~]# history 
    1  history 

1.4 switching users with su command
Purpose and usage
Purpose: Substitute User to switch users
Format: su - target user
Password verification
root - any user without verifying the password
Ordinary users - other users, authentication target users


1.5 restrict users using the su command
Join users who are allowed to use the su command to the WHO group
Enable PAM_ Who authentication module


2, PAM security authentication in Linux
2.1 potential safety hazards of Su command
By default, any user is allowed to use the su command. The opportunity to repeatedly try the login password of other users (such as root) brings security risks
In order to strengthen the use control of su command, with the help of PAM authentication module, only individual users are allowed to use su command for switching
PAM (Pluggable Authentication Modules)
It is also an efficient, flexible and convenient user level authentication method
It is also a widely used authentication method for Linux servers
2.2 PAM certification principle
Generally follow the order
Service - PAM (configuration file) - pam_ * so
First, determine which service, then load the corresponding PAM configuration file (located under /etc/pam.d), and finally call the authentication file (located under /lib64/security) for security authentication.
When a user accesses the server, a server program of the server sends the user's request to the PAM module for authentication
Different applications have different PAM modules
2.3PAM certification composition
To check whether a program supports PAM authentication, you can use the ls command
Example: check su whether PAM module authentication is supported
ls /etc/pam.d | grep su
View Su's PAM configuration file: cat /etc/pam.d/su
Each line is an independent authentication process
Each row can be divided into three fields
Certification Type
control type
PAM module and its parameters
2.4 Paman safety certification process
Return results for PAM validation type
1.required continue when the verification fails, but return Fail
2. If the requirement verification fails, the whole verification process shall be ended immediately
3. If the sufficient verification fails, it will be returned immediately and will not continue. Otherwise, the result will be ignored and continue
4.optional is not used for verification, but only displays information (usually used for session type)


2.5 using sudo mechanism to upgrade permissions
Disadvantages of su command
Purpose and usage of sudo command
Purpose: execute authorized commands as other users (such as root)
Usage: sudo authorization command
2.6 configuring sudo authorization
visudo or vi /etc/sudoers
Record format: user host name list = command program list

[sudo] lisi Password for:
lisi be not in sudoers File. The matter will be reported.
[lisi@localhost root]$ visudo
visudo: /etc/sudoers: insufficient privilege
 You are /var/spool/mail/root Mail in
[lisi@localhost root]$ su root
 password:
[root@localhost ~]# visudo

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

2.7 viewing sudo operation records
The Defaults logfile configuration needs to be enabled
Default log file: / var/log/sudo
[root@localhost ~]# tail /var/log/sudo

3, Summary
3.1 lock accounts that have not been used for a long time
usermod -L username
passwd -l username
passwd -S username
Delete useless account (userdel [-r])
Lock account files passwd and shadow
Chatt +i /etc/passwd /etc/shadow
lsattr /etc/passwd /etc/shadow (unlock file and view status)
chattr -i /etc/passwd /etc/shadow
3.2 switching users with su command
Purpose and usage
Purpose: Substitute User to switch users
Format: su - target user
Password verification
root - any user without verifying the password
Ordinary users - other users, authentication target users
3.3 PAM certification principle
Generally follow the order
Service - PAM (configuration file) - pam_ * so
First, determine which service, then load the corresponding PAM configuration file (located under /etc/pam.d), and finally call the authentication file (located under /lib64/security) for security authentication.

Tags: Linux ssh

Posted on Thu, 23 Sep 2021 06:53:08 -0400 by jtapoling