System security and Application

1, Basic measures for account security

1. System account cleaning

(1) Set the Shell of the non logged in user to / sbin/nologin

          usermod -S /sbin/nologin

(2) Lock accounts that have not been used for a long time

          usermod-L user name

          passwd - | user name

          passwd -S username

(3) Delete useless account

          userdel [-r] delete home directory together

(4) Lock account files passwd and shadow

        Chatr + I / etc / passwd / etc / shadow (lock file and view status)

        Isattr /etc/passwd /etc/shadow (unlock file and view status)

        Chatr - I / etc / passwd / etc / shadow (unlock file and view status)

[root@localhost ~]# chattr +i /etc/passwd /etc/shadow
[root@localhost ~]# lsattr /etc/passwd /etc/shadow
----i----------- /etc/passwd
----i----------- /etc/shadow
 Prevent adding or modifying passwords at this time
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow
[root@localhost ~]# lsattr /etc/passwd /etc/shadow
---------------- /etc/passwd
---------------- /etc/shadow
 At this moment, you can add or modify the password

2. Password security control

(1) Set password validity

(2) Require the user to change the password at the next login

For new users
[root@localhost ~]# vim /etc/login.defs

# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.

#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
Suitable for old users
[root@localhost ~]# chage -M 30 123
                             Days user name
[root@localhost ~]# cat /etc/shadow |grep 123
              We can view the password validity through this

[root@localhost ~]# Chage - d 0 123change the password every time you log in
[root@localhost ~]# echo "123123" |passwd --stdin 123
                       Change the password of user 123 to 123123

3. Command history restrictions

Reduce the number of recorded commands

Automatically clear command history on logout

(1) Look at history

[root@localhost ~]# history
    1  vim /etc/sysconfig/network-scripts/ifcfg-ens33 
    2  vim /etc/sysconfig/network-scripts/ifcfg-ens33 
    3  systemctl restart network
   . . . (There are many more below (omitted here)

(2) Temporarily hide history

[root@localhost ~]# history -c temporarily hides the history. It will appear again after shutdown and restart
[root@localhost ~]# history
    1  history

(3) Reduce the number of recorded commands

[root@localhost ~]# vim /etc/profile
HOSTNAME=`/usr/bin/hostname 2>/dev/null`
HISTSIZE=10(This is modified here)
:wq (Save (exit)
[root@localhost ~]# source /etc/profile let's refresh
[root@localhost ~]# history
  391  chage -M 30 123
  392  cat /etc/shadow |grep 123
  393  su 123
  394  hitory
  395  history
  396  vim /etc/profile
  397  history
  398  source .bashrc
  399  source /etc/profile
  400  history
(Now we'll show only the last ten Histories)                                                     

(4) Clear command history

[root@localhost ~]# vim .bashrc

# .bashrc
 Press o Insert, enter in the space
echo "" > ~/.bash_history                                                    
:wq  Save exit
[root@localhost ~]# Source. Bashrc refresh
[root@localhost ~]# cat ./bash_history
((the contents are empty)
[root@localhost ~]# reboot restart
[root@localhost ~]# history is gone
    1  history

3. Terminal automatic logoff

Automatically log off after being idle for 60 seconds

[root@localhost ~]# vim .bash_profile

export PATH
G To the end of the line, enter
export TMOUT=60 
:wq Save exit
[root@localhost ~]# source .bash_profile to refresh
 Idle for 60 seconds will automatically log off

2, Switch user su command

1. Purpose and usage

Purpose: Substitute User to switch users

Format: su - user name

2. Password verification

root → any user, no need to verify password

Ordinary users → other users, you need to verify the password of the target user

[root@localhost ~]# su 123
[123@localhost root]$ pwd
[123@localhost root]$ echo $PATH
 No-,Retain all current environments

[root@localhost ~]# su - 123
[123@localhost ~]$ pwd
[123@localhost ~]$ echo $PATH
 plus-,Use target user's shell Environment, switch the directory to the home directory of the target user

  View current user name

[123@localhost ~]$ whoami
 View current user name

3. Idle users using su command

Add users who are allowed to use the su command to the wheel group

Enable pam_wheel

[root@localhost pam.d]# vim su
 Open the sixth line and delete it#
auth            sufficient
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required use_uid(After opening, only wheel Only users in the group can use it su)
auth            substack        system-auth
auth            include         postlogin
account         sufficient uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional                                                                                
[123@localhost pam.d]$ su root
12^Hsu: Permission denied (permission denied here)

Open the second line and comment(#)The sixth line and comment, the second line and the sixth line are su commands that can be used by all users

4. View su operation records

Security log file: / var/log/secure

3, PAM security authentication in Linux

1. Potential safety hazards of Su command

(1) By default, any user is allowed to use the su command, and has the opportunity to repeatedly try the login password of other users (such as root), which brings security risks

(2) In order to strengthen the use control of su command, with the help of PAM authentication module, only a few users are allowed to use su command for switching

2.PAM(Pluggable Authentication Modules) pluggable authentication module

(1) It is an efficient, flexible and convenient user level authentication method

(2) It is a widely used authentication method for Linux servers

3.PAM certification principle

(1) Generally follow the order

          Service → PAM → pam_ * so

(2) first determine which service, then load the corresponding PAM configuration file (located under /etc/pam.d), and finally call the authentication file (located under /lib64/security') for security authentication.

(3) When a user accesses the server, a service program of the server sends the user's request to the PAM module for authentication

(4) Different applications have different PAM modules

4. Composition of PAM certification

(1) To check whether a program supports PAM authentication, you can use the Is command

          Example: check su whether PAM module authentication is supported

[123@localhost pam.d]$ ls /etc/pam.d | grep su

(2) View Su's PAM configuration file: cat /etc/pam.d/su  

        Each line is an independent authentication process

        Each line can be divided into three fields: authentication type; Control type; PAM module and its parameters

[123@localhost pam.d]$ cat /etc/pam.d/su
#auth		sufficient
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required use_uid
auth		substack	system-auth
auth		include		postlogin
account		sufficient uid = 0 use_uid quiet
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		include		postlogin
session		optional


The first column represents the PAM authentication module type

auth: identify the user's identity. If prompted to enter a password, judge whether it is root.  

Account: check the attributes of the account, such as whether it is allowed to log in to the system, whether the account has expired, whether it has reached the maximum number of users, etc.

Password: use user information to update data, such as changing user password.

Session: defines the session operation management to be performed before and after login, such as login connection information,
Open and close user data, Mount file system. How many terminals can be connected

The second column represents the PAM control flag

required: indicates that a success value needs to be returned. If the return fails, the failure result will not be returned immediately, but the next verification of the same type will continue. After the execution of all modules of this type is completed, the failure will be returned.

Required: similar to reguired, but if this module returns a failure, it immediately returns a failure and indicates that this type of failure.

sufficient: if this module returns success, it will directly return success to the program, indicating such success. If it fails, it will not affect this type of return value.

optional: it does not return success or failure. It is generally not used for verification, but only displays information (usually used for session type),

include: indicates that other PAM configuration files are called during validation.

For example, many applications call / etc/pam.d/syatem- auth (mainly responsible for user login authentication)
To achieve authentication without having to write configuration items one by one.

5.PAM verification process

4, Using sudo mechanism to elevate permissions

1. Purpose and usage of sudo (super userdo super user) command

Purpose: execute authorization commands as other users (such as root)

Usage: sudo authorization command

2. Configure sudo authorization

(1) visudo or vi /etc/sudoers

(2) Record format

        user       Host name list = command program list

[123@localhost root]$ sudo ifconfig ens33:2

We trust that you have learned the daily precautions from the system administrator.
To sum up, there are no more than these three points:

    #1) Respect other people's privacy.
    #2) Consider (consequences and risks) before entering.
    #3) The greater the power, the greater the responsibility.

[sudo] 123 Password for:
Sorry, user 123 does not have permission to root Where is your identity localhost.localdomain Upper execution /sbin/ifconfig ens33:2 

[root@localhost ~]# visudo

## The COMMANDS section may have other options added to it.
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
123 localhost=(root) /sbin/iconfig

Keywords: Linux

Added by hcoms on Thu, 16 Sep 2021 01:03:56 +0300