System security and application
1. System account cleanup
1. Set the shell of the non-login user to /sbin/nologin
- usermod -s /sbin/nologin username
2. Lock accounts that have not been used for a long time
- usermod -L username passwd-l username -------------- lock account
- passwd-S username ----------------------------View user status
- passwd -u username------------------------------------Unlock account
3. Delete useless accounts
- userdel -r username
4. Lock account files passwd, shadow
- chattr +i /etc/passwd /etc/shadow -------------- lock file
- Isattr /etc/passwd /etc/shadow-----------------------View status
- chattr -i /etc/passwd /etc/shadow-----------------Unlock file
When locked, you cannot create users and change passwords:
2. Password security control
-
Set password validity period
-
Require users to change their password the next time they log in
-
[root@localhost ~]# vi /etc/login.defs
##### Modify the password configuration file, suitable for new users
PASS_ MAX_ DAYS 30
- [root@localhost ~]# chage -M 30 lisi
###### Applicable to existing users
[root@localhost ~]# cat /etc/shadow | grep lisi
- [root@localhost ~]# chage -d 0 zhangsan
##### Forcibly change the password at the next login
[root@localhost ~]# cat /etc/shadow | grep zhangsan
##### The third in the shadow file Fields were modified to 0
3. Command history restrictions
-
Reduce the number of recorded commands
-
Automatically clear the command history when logging in
-
[root@localhost ~]# vi /etc/profile
######System environment variable configuration file (all users log in will be executed)
export HISTSIZE=200
- Automatically clear the history command when logging in
[root@localhost ~]# source /etc/profile
[root@localhost ~]# vi ~/.bashrc
echo “”> ~/.bash_ history
After restarting, enter history commands for history query:
4. Terminal automatic logout
- Automatically log out after 600 seconds of inactivity
- [root@localhost ~]# vi letc/profile
- export TMQUT=600
- [root@localhost ~]# source /etc/profile
5. Use the su command to switch users
1. Purpose and usage:
- Purpose: Substitute User, switch users.
- Format: su-target user
2. Password verification:
- root→any user, no password verification
- Ordinary user → other users, verify the password of the target user
iery@localhost~]$su-root
password:. . . .
whoami----------------------View the current user name
6. Restrict users who use the su command
-
Add users allowed to use the su command to the wheel group
-
Enable pam_ _wheel authentication module
-
①:[root@localhost ~]# gpasswd -a tsengyia wheel
tsengyia
is adding the user "tsengyia" to the "wheel" group
- ②: [root@localhost ~]# vi /etc/pam.d/su
###########Modify this configuration file
#%PAM-1.0
auth sufficient pam_ rootok.so
# auth required pam_ wheel. so use uid-------uncomment
1: The above two lines are in the default state (that is, open the first line and comment the second line). In this state, all users are allowed to use the su command to switch.
2: Both lines are commented and all users can use the su command. However, using su under root to switch to other ordinary users requires a password: if the first line is not commented, root uses su to switch ordinary users without entering a password ( The main function of pam_ rootok. so module is to enable users with uid 0, that is, the root user can directly pass the authentication without entering a password.)
3: If the second line is turned on, it means that only the root user and users in the whee1 group can use it. su command.
4: If you comment the first line and open the second line, it means that only users in the wheel1 group can use the su command, and the root user is also forbidden to use the su command.
After pam_ _wheel authentication is enabled, other users who have not joined the wheel group will not be able to use the su command
View su operation records:
Security log file: /var/log/secure