This chapter structure:
Account security control
Control and landing guidance system
Detecting weak passwords
Port Scan
(A), account basic safety measures:
1, the system account cleanup
The non-logged-in users to set up shell / sbin / nologin
Do not use the account lock factory
Delete unused accounts
Lock the account file passwd, shadow
[Root @ localhost ~] #chattr + i / etc / passwd / etc / shadow account file locking
[Root @ localhost ~] #lsattr / etc / passwd / etc / shadow file and view the status of the lock
----i------------ /etc/passwd
----i------------ /etc/shadow
[Root @ localhost ~] #chattr -i / etc / passwd / etc / shadow file to unlock the account
2, password security control
Set password expiration
[Root @ localhost ~] #vim /etc/login.defs applicable to new user
......
PASS_MAX_DAYS 30
[Root @ localhost ~] #chage -M 30 zhangsan applicable to existing user
Require the user to change the password when the next landing
Change password [root @ localhost ~] #chage -d 0 zhangsan forced landing in the next
3, the basic account security measures
Command History limit defaults to 1000
[Root @ localhost ~] #vim / etc / profile vim to edit / etc / profile command to set the historical record number of
Reduce the record number of orders
Automatic flush command history when you log off
[root@localhost ~]# vim ~/.bash_logout
Terminal automatically log off
Automatic logoff after idle for 15 seconds
[root@localhost ~]vim ~/.bash_profile
.......
export TMOUT=15
(B) using the su command to switch the user:
1, purpose and usage
用途:Substitute User,切换用户
格式:su - 目标用户
2、密码验证
root到任意用户,不验证码密码
普通用户到其他用户。验证目标用户的密码
3、限制使用su命令的用户
将允许使用su命令的用户加入wheel组
启用pam_wheel认证模块
[root@localhost ~]# vim /etc/pam.d/su 开启pam认证模块
[root@localhost ~]# vim /etc/group 查看wheel组里的用户
可以看到zhangsan在组里(shangsan默认在组里)
4、查看su操作记录
[root@localhost ~]# vim /var/log/secure
安全日志文件:/var/log/secure
5、PAM安全认证流程
控制类型可以称作Control Flags,用于PAM验证类型的返回结果
a、required验证失败时仍然继续,但返回FALL
b、requisite验证失败则立即结束整个验证过程,返回Fall
c、sufficient验证成功则立即返回,不再继续,否则忽略结果并继续
d、optional不用于验证,只显示信息(通常用于session类型)
(三)使用sudo机制提升权限
1、sudo命令的用途及用法
用途:以其他用户身份(如root)执行授权的命令
用法:sudo 授权命令
2、配置sudo授权
visudo或者vim /etc/sudoers
记录格式:用户 主机名列表 = 命令程序列表
3、查看sudo操作记录
需启用Defaults logfile 配置
默认日志文件:"/var/log/sudo"
[root@localhost ~]# tail /var/log/sudo
(四)、开关机安全控制
1、调整BIOS引导设置
将第一引导设备设为当前系统所在硬盘
禁止从其他设备(光盘、U盘、网络)引导系统
将安全级别设为setup,并设置管理员密码
2、GRUB限制
Use grub2-mkpasswd-pbkdf2 generate the key
Modify /etc/grub.d/00_header file, add password records
Grub.cfg generate a new configuration file
(E), terminal access security control
1, limit root login only secure terminal
Security terminal configuration: / etc / securetty
[root@localhost ~]# vim /etc/securetty
2, prohibit ordinary users landing
Establish / etc / nolongin file
Nologin file or delete returned to normal after restart
[Root @ localhost ~] #touch / etc / nologin prohibit ordinary users login
[Root @ localhost ~] #rm -rf / etc / nologin withdrawal of the landing restrictions