preface
As an open source operating system, Linux server is widely used because of its significant advantages of security, efficiency and stability. The following mainly optimizes the security of Linux system from the perspective of account security, system boot and login control
User account is the identity certificate of computer users. Everyone accessing system resources must have an account to log in to the computer. In Linux, a variety of mechanisms are provided to ensure the safe use of user account
Basic safety measures
System account cleaning and locking
In the Linux system, in addition to the various accounts manually created by the user, it also includes a large number of other accounts generated during the installation of the system or program, which are used to maintain the system operation, start or maintain the service process. Generally, login is not allowed, which is called non login user. In order to maintain system security, the login shell of these users is usually / sbin/nologin, which means that terminal login is prohibited and should not be changed manually.
For some accounts that have not been used for a long time, if it is uncertain whether to delete them, they should be locked temporarily (the accounts can be locked and unlocked with usermod and passwd commands)
[root@localhost ~]# usermod -L xx #Lock account [root@localhost ~]# passwd -S xx #View account status ysf LK 2017-12-22 0 99999 7 -1 (The password is locked.) [root@localhost ~]# usermod -U xx #Unlock account [root@localhost ~]# passwd -S xx ysf PS 2017-12-22 0 99999 7 -1 (Password set, use SHA512 Encryption.) [root@localhost ~]# passwd -l xx Lock user xx Your password. passwd: Operation successful [root@localhost ~]# passwd -u xx Unlock user xx Your password. passwd: Operation successful
If the account in the server has been fixed and will not be changed, you can lock the account configuration file. Use the chattr command to lock and unlock files, and use lsattr to view file locking
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow #+i. Lock file [root@localhost ~]# lsattr /etc/passwd /etc/shadow #View file locking ----i--------e- /etc/passwd ----i--------e- /etc/shadow [root@localhost ~]# useradd xx #The file is locked, and users cannot be added or deleted, and the user's password, login shell, host directory and other attributes cannot be changed useradd: cannot open /etc/passwd [root@localhost ~]# chattr -i /etc/passwd /etc/shadow #-i. Unlock file [root@localhost ~]# useradd xx #Create user normally [root@localhost ~]#
Password security control
In order to reduce the risk of password guessing or brute force cracking, long-term use of the same password should be avoided. The administrator can limit the maximum number of days of validity of the user's password on the server. For users whose password has expired, they are required to reset their password when logging in, otherwise they will refuse to log in
[root@localhost ~]# vim /etc/login.defs #Adapt to new users PASS_MAX_DAYS 30 #The password can be used for up to 30 days and must be changed PASS_MIN_DAYS 0 #The password must be used for at least 0 days before it can be changed PASS_MIN_LEN 5 #Acceptable password length PASS_WARN_AGE 7 #Warning time before password expiration [root@localhost ~]# chage -M 30 xx #For users who exist in, the password expires in 30 days [root@localhost ~]# chage -d 0 xx #You must change your password the next time you log in
In bash terminal environment, an idle timeout can be set. When there is no input beyond the specified time, the terminal will be automatically logged off. Controlled by the variable TMOUT, the default unit is
[root@localhost ~]# vim /etc/profile #For new login users export TMOUT=600 [root@localhost ~]# TMOUT=600 #Applicable to current user [root@localhost ~]# unset TMOUT #If the operation takes a long time to avoid interruption, you can cancel the TMOUT variable
User switch to permission
su switching users
Using the su command, you can switch a specified user and have all the permissions of the user
[root@localhost ~]# su - xx #root switches to an ordinary user without password authentication [xx@localhost ~]$ su - # Ordinary users need to be verified when switching to root, but root does not password: [root@localhost ~]#
sudo elevation permission
Although you can switch to the root user by using the su command, you must know the root password. If everyone knows the privileged password, there will be more risks. The sudo command allows ordinary users to have some commands that root users can execute without knowing the privileged password
[xx@localhost ~]$ ifconfig eth0:0 10.0.0.1/8 #sudo command not used SIOCSIFADDR: insufficient privilege SIOCSIFFLAGS: insufficient privilege [xx@localhost ~]$ sudo ifconfig eth0:0 10.0.0.1/8 #Using the sudo command ...... //Omit some contents [sudo] password for yangshufan: #Verify password [xx@localhost ~]$ ifconfig eth0:0 #View the command and execute it successfully eth0:0 Link encap:Ethernet HWaddr 00:0C:29:1C:B4:FB inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 [xx@localhost ~]$ sudo -l #See which sudo authorizations you have [sudo] password for xx: user xx You can run the following commands on this host: (root) /sbin/ifconfig [root@localhost ~]# tail /var/log/sudo #You can see the user's sudo operation record Dec 27 07:49:35 : xx : TTY=pts/0 ; PWD=/home/xx ; USER=root ; COMMAND=/sbin/ifconfig eth0:0 10.0.0.1/8
PAM certification
By default, all users are allowed to use the su command, so they have the opportunity to repeatedly try the login password of other users (root), which brings security risks. You can use pam_wheel authentication module allows only a few users to switch using su command
[root@localhost ~]# vim /etc/pam.d/su auth required pam_wheel.so use_uid #Remove the comment from this line [root@localhost ~]# su - xx [xx@localhost ~]$ su - root #If you try to switch again, you will be prompted with the wrong password password: su: Incorrect password [xx@localhost ~]$ exit logout [root@localhost ~]# gpasswd -a xx wheel / / add an authorized user to the wheel group Adding user ysf to group wheel [root@localhost ~]# grep wheel /etc/group / / view wheel group members wheel:x:10:ysf [root@localhost ~]# su - xx [ysf@localhost ~]$ su - //Try switching again and the switching is successful password: [root@localhost ~]#