Account security control
User account is a computer user's credentials or identification, everyone to access system resources, you must enter a computer with its user account to.
Basic safety measures
1, the system account cleanup
-
The non-logged-in user's shell is set
/sbin/nologin
-
Delete unused accounts
-
Long-term use of the account is not locked
chattr +i
Lock filechattr -i
Unlock fileslsattr
View file locking case - We can lock
passwd
,shadow
file prevents the creation of new user
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow //锁定passwd、shadow文件
[root@localhost ~]# lsattr /etc/passwd /etc/shadow //查看锁定情况
----i----------- /etc/passwd
----i----------- /etc/shadow //文件已锁定
[root@localhost ~]# useradd siti //创建用户
useradd:无法打开 /etc/passwd //无法打开文件,用户无法创建
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow //解锁文件
[root@localhost ~]# lsattr /etc/passwd /etc/shadow //查看文件锁定信息
---------------- /etc/passwd //文件已解锁
---------------- /etc/shadow
[root@localhost home]# useradd st11 //创建用户
[root@localhost home]# echo "123123" | passwd --stdin st11 //设置用户密码
更改用户 st11 的密码 。
passwd:所有的身份验证令牌已经成功更新。 //设置成功
2, password security control
- Set password expiration
vim /etc/login.defs
Profile settings. Suitable for new users- Used command
chage -M [密码有效期] [用户名]
to set the user password expiration
[root@localhost home]# vim /etc/shadow //查看所用户密码信息
root:$6$DErFk.wqtcw55ui.$sbinnItTXo1wtxsOmThAEwBXHluuCC04as2tSUvoCEdDTHMTumpl/VcjH6KCYkJh0xc3KqLdcTq2NTe3K7nTi1::0:99999:7::: //root用户密码有效期为99999
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
...//省略部分内容...
tcpdump:!!:18117::::::
sun:$6$g2hmfiVD2XG/zY37$53BhBT.2ILsuF22KZ2BRaE/6hmG/HsylLi1EuARoWzc8EgBbqN64T0DmyCfGsowWGFuCKDubUkBIxh1TM69Vv0:18117:0:99999:7::: //sun用户密码有效期为99999
st11:$6$ZGozUglO$ymyQEtkL//rzx8UdgDcy1yd3WVLiET9K6xrC.dT0lUnNH17dzkuSxkqepAC5plPlad5VWrewJOkAKJxdmiYLZ.:18136:0:99999:7::: //st11用户密码有效期为99999
:q //退出
[root@localhost home]# vim /etc/login.defs //进入密码配置文件,设置密码有效期
...//省略部分内容...
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 30 //密码最长有效期 更改99999为30
PASS_MIN_DAYS 0 //密码最短有效期
PASS_MIN_LEN 5 //密码最短字符长度
PASS_WARN_AGE 7 //密码过期前提前几天提醒
...//省略部分内容...
/99999 //查找定位99999位置
//更改完成后:wq保存退出
[root@localhost ~]# useradd siti //创建用户
[root@localhost ~]# passwd siti //设置用户密码
更改用户 siti 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@localhost ~]# vim /etc/shadow //查看所有用户密码信息
root:$6$DErFk.wqtcw55ui.$sbinnItTXo1wtxsOmThAEwBXHluuCC04as2tSUvoCEdDTHMTumpl/VcjH6KCYkJh0xc3KqLdcTq2NTe3K7nTi1::0:99999:7::: //密码有效期未变
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
nome-initial-setup:!!:18117::::::
...//省略部分内容...
avahi:!!:18117::::::
postfix:!!:18117::::::
tcpdump:!!:18117::::::
sun:$6$g2hmfiVD2XG/zY37$53BhBT.2ILsuF22KZ2BRaE/6hmG/HsylLi1EuARoWzc8EgBbqN64T0DmyCfGsowWGFuCKDubUkBIxh1TM69Vv0:18117:0:99999:7::: //密码有效期未变
st11:$6$ZGozUglO$ymyQEtkL//rzx8UdgDcy1yd3WVLiET9K6xrC.dT0lUnNH17dzkuSxkqepAC5plPlad5VWrewJOkAKJxdmiYLZ.:18136:0:99999:7::: //密码有效期未变
siti:$6$RUXRmwz/$046PV4WYKzGpp.32FT7GKu04jvaCkut/d2GjtseMi1MnU1YfGMy1.AJdtOPZByWCyfP05LqoRNe0OT5tz1FUv1:18136:0:30:7::: //新创建的用户siti用户密码有效期为30天
[root@localhost ~]# chage -M 30 st11 //更改st11用户密码有效期为30天
[root@localhost ~]# vim /etc/shadow //查看所有用户密码信息
root:$6$DErFk.wqtcw55ui.$sbinnItTXo1wtxsOmThAEwBXHluuCC04as2tSUvoCEdDTHMTumpl/VcjH6KCYkJh0xc3KqLdcTq2NTe3K7nTi1::0:99999:7:::
bin:*:17110:0:99999:7:::
daemon:*:17110:0:99999:7:::
...//省略部分内容...
tcpdump:!!:18117::::::
sun:$6$g2hmfiVD2XG/zY37$53BhBT.2ILsuF22KZ2BRaE/6hmG/HsylLi1EuARoWzc8EgBbqN64T0DmyCfGsowWGFuCKDubUkBIxh1TM69Vv0:18117:0:99999:7:::
st11:$6$ZGozUglO$ymyQEtkL//rzx8UdgDcy1yd3WVLiET9K6xrC.dT0lUnNH17dzkuSxkqepAC5plPlad5VWrewJOkAKJxdmiYLZ.:18136:0:30:7::: //st11用户密码有效期更改未30天
siti:$6$RUXRmwz/$046PV4WYKzGpp.32FT7GKu04jvaCkut/d2GjtseMi1MnU1YfGMy1.AJdtOPZByWCyfP05LqoRNe0OT5tz1FUv1:18136:0:30:7:::
-
Require the user to change the password the next time you log
chage -d 0 用户名
: Force users to change password at next logonAfter using this command, when the specified user logs on to set a password, the password setting is conditional, is not allowed to use the password set a sequence of letters and Arabic numerals set a password, otherwise you can not reset the secret, so this command is not recommended .
[root@localhost ~]# chage -d -0 st11
3, limit orders history
-
View and Clear History command
history
: View the history commandshistory -c
: Clear History command
[root@localhost ~]# history //查看历史命令
1 vim /ect/sysconfig/network-scripts/ifcfg-ens33
2 vim /etc/sysconfig/network-scripts/ifcfg-ens33
3 vim /ect/sysconfig/network-scripts/ifcfg-ens33
4 vim /ect/sysconfig/network-scripts/ifcfg-ens33
5 vim /ect/sysconfig/netwok-scripts/ifcfg-ens33
6 vim /etc/sysconfig/network-scripts/ifcfg-ens-33
7 vim /etc/sysconfig/network-scirpts/ifcfg-ens33
8 vim /etc/sysconfig/network-scripts/ifcfg-ens33
9 vim /etc/sysconfig/network-scirpts/ifcfg-ens33
10 vim /etc/sysconfig/network-scripts/ifcfg-ens33
11 service network restart
12 ifconfig
13 chattr +i /etc/passwd /etc/shadow
14 lsattr /etc/passwd /etc/shadow
15 chattr -i /etc/passwd /etc/shadow
16 lsattr /etc/passwd /etc/shadow
17 chattr +i /etc/passwd/ /etc/shadow
18 chattr +i /etc/passwd /etc/shadow
19 lsattr
20 lsattr /etc/passwd /etc/shadow
21 useradd siti
22 chattr -i /etc/passwd /etc/shadow
23 lsattr /etc/passwd /etc/shadow
24 useradd siti
25 passwd siti
26 history
[root@localhost ~]# history -c //清除历史命令
[root@localhost ~]# history //查看历史命令
1 history
-
Reduce the record number of orders
vim /etc/profile
: System environment variables configuration file change history which today commands the number of recordssource /etc/profile
: Make configuration changes take effect
[root@localhost ~]# vim /etc/profile
[root@localhost ~]# history //查看历史命令,这个时候设置并没有生效
1 history
2 vim /etc/profile
3 history
[root@localhost ~]# source /etc/profile //输入命令,使更改的配置生效
[root@localhost ~]# history //再次查看历史命令
4 history //只显示一条命令
-
Idle automatic logout
vim /etc/profile
Edit the configuration file to add write-off of idle entry, and set the auto logout timeexport TMOUT=时间(单位:秒)
: Set limits logout time entry
[root@localhost ~]# vim /etc/profile //进入编辑配置文件
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
...//省略部分内容...
fi
fi
done
unset i
unset -f pathmunge
export TMOUT=60 //添加设定条目
~
:wq //保存退出
[root@localhost ~]# source /etc/profile //输入命令,使更添加的条目生效
The system will automatically log off after 60 seconds after setting is completed. Write-off time can be set according to their operating practices.
-
Automatic flush command history when you log off
vim ~/.basf_logout
: User Environment Variables profile
Add history -c, clear user environment variables in the command file, it can automatically clear the history and cache command when the user logs off and improve safety.
[root@localhost ~]# cd /home //进入用户家目录
[root@localhost home]# ls //查看用户
siti st11 sun
[root@localhost home]# cd st11 //进入到st11用户目录
[root@localhost st11]# ls -a //查看目录中隐藏文件是否有 .bash_logout配置文件
. .bash_logout .bashrc .config .ICEauthority .mozilla 模板 图片 下载 桌面
.. .bash_profile .cache .esd_auth .local 公共 视频 文档 音乐
[root@localhost st11]# vim .bash_logout //进入编辑配置文件
# ~/.bash_logout
history -c //添加命令清除历史命令
clear //添加命令清除缓存
~
~
~
:wq //保存退出
4, switch the user privilege escalation
Most Linux servers do not recommend users to log in directly as the root user. On the one hand can greatly reduce the damage due to mistaken operations, it also reduces the risk of privileged passwords in an insecure network is compromised.
su
commandsu
Command: Switch usersu
- Command: Switching the user directly to the user's home directory
[root@localhost /]# su siti //切换到siti用户
[siti@localhost /]$ //进入siti用户
[siti@localhost /]$ su - root //切换到root用户,并回到家目录
密码:
上一次登录:三 8月 28 11:55:19 CST 2019从 192.168.144.1pts/0 上
[root@localhost ~]# //进入root用户,并在家目录下
-
PAM authentication
PAM(Pluggable Authentication Modules)
It is aLinux
system Pluggable Authentication Module, is a highly efficient and flexible and convenient user-level authentication, it is also the currentLinux
authentication server commonly used. -
PAM authentication principle
PAM
Certified general order followed:Service
(service) →PAM
(profile) →pam_*.so
PAM
Certification must first determine which of the services, and then load the appropriatePAM
configuration file (located/etc/pam.d
below), the last call authentication file (located/lib/security
at) safety certification.- Users access the server, the server is a service program to a user's request to the
PAM
module for authentication. Different applications corresponding toPAM
the module is different.
-
PAM includes four types of certification
Certified Management: Accept user name and password, and then authenticate the user's password;
account management: Check account is allowed to log into the system, whether the account has expired, login account whether there are restrictions on the time period;
password management: mainly used to modify the user's password;
session management: the main is to provide session management, and accounting. -
Control type, types of return for PAM authentication result
required
Verify continued failure, but returnsFail
requisite
Verification fails an immediate end to the entire verification process, returnFail
sufficient
Successful verification returns immediately, no longer continue, otherwise ignore the result and continueoptional
It is not used for authentication, only the display information (commonly usedsession
type)
You can view PAM
to see the support PAM authentication service profile directory entries
[root@localhost ~]# ls /etc/pam.d //查看pam配置文件目录
atd gdm-pin postlogin-ac su
chfn gdm-smartcard ppp sudo
chsh ksu remote sudo-i
config-util liveinst runuser su-l
crond login runuser-l system-auth
cups other setup system-auth-ac
fingerprint-auth passwd smartcard-auth systemd-user
fingerprint-auth-ac password-auth smartcard-auth-ac vlock
gdm-autologin password-auth-ac smtp vmtoolsd
gdm-fingerprint pluto smtp.postfix xserver
gdm-launch-environment polkit-1 sshd
gdm-password postlogin sssd-shadowutils //支持认证的服务项
Under each service item record are stored with different security authentication profiles in /etc/security
the directory is also stored in a secure authentication profile.
[root@localhost ~]# ls /etc/security
access.conf console.handlers group.conf namespace.conf opasswd sepermit.conf
chroot.conf console.perms limits.conf namespace.d pam_env.conf time.conf
console.apps console.perms.d limits.d namespace.init pwquality.conf
Enter the pam
directory services recorded the configuration file for security authentication information.
[root@localhost ~]# vim /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
Each row is a separate authentication process; each row can be divided into three fields: auth
: Authentication Type sufficient
: Control Type pam_rook.so
: PAM
module and its parameters
Pam authentication turned on in this mode.
[root@localhost ~]# vim /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid //去掉此条目前# 开启pam认证
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
-
wheel group
In Linux wheel group is similar to a group of administrators. In the case of open pam authentication only users in wheel group only by the root user password to enter the root user interface via the su command. If the average user is not within the wheel group even if the root password can not be switched to use su root user command. This also greatly improves the security of the root user.
[root@localhost ~]# vim /etc/group //查看组
...//省略部分内容...
mem:x:8:
kmem:x:9:
wheel:x:10:sun //wheel组,现在只有sun一个用户
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
...//省略部分内容...
[root@localhost ~]# su - sun //切换至sun用户
上一次登录:三 8月 28 16:22:56 CST 2019pts/0 上
[sun@localhost ~]$ su - root //切换到root用户
密码:
上一次登录:三 8月 28 16:23:23 CST 2019pts/0 上
[root@localhost ~]# su - siti //切换到siti用户
上一次登录:三 8月 28 16:23:14 CST 2019pts/0 上
[siti@localhost ~]$ su - root //切换到root用户
密码:
su: 拒绝权限 //无法切换,拒绝访问
[siti@localhost ~]$
-
sudo
Put rightBy
su
can easily switch to another user command, but only if you must know the target user's login password. For the production environmentLinux
servers, each one more person aware of privileged passwords, security risks will increase one point. This time you can use thesudo
command to elevate privileges to perform. However, the need for pre-authorized by the administrator to specify which users are allowed to superuser (or other ordinary users) identity which commands to execute.In the configuration file
/etc/sudoers
orvisudo
add authorizationThe basic configuration of the authorization record format
User list of host names = command program list
User: direct authorization specified user name, or in the form of "% group name" of (all authorized users of a group).
Host: host name using this profile. This part is easy with a shared across multiple hostssudoers
file, usually set to localhost or the actual host name.
Command: Allows authorized users tosudo
privileged command execution must be filled full path to the command program, a comma between multiple commands“,”
are separated.
First we see the wheel
members of the group, and then not in the wheel
group user login system to perform network address change instruction, see if you can change.
[root@localhost ~]# vim /etc/group
...//省略部分内容...
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:sun //只有sun一个用户
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
ppy:x:19:
...//省略部分内容...
[siti@localhost ~]$ ifconfig //查看网卡信息
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.144.133 netmask 255.255.255.0 broadcast 192.168.144.255
inet6 fe80::a85a:c203:e2e:3f3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:d3:a0 txqueuelen 1000 (Ethernet)
RX packets 49 bytes 7062 (6.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 86 bytes 9493 (9.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
...//省略部分内容...
[siti@localhost ~]$ ifconfig ens33 192.168.144.138 //更改ens33网卡IP地址
SIOCSIFADDR: 不允许的操作 //提示不允许操作
SIOCSIFFLAGS: 不允许的操作
[siti@localhost ~]$ sudo ifconfig ens33 192.168.144.138 //用sudo执行
[sudo] siti 的密码:
siti 不在 sudoers 文件中。此事将被报告。 //不在sudo中,无法执行
[siti@localhost ~]$ ifconfig //查看网卡,看IP地址是否更改
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.144.133 netmask 255.255.255.0 broadcast 192.168.144.255
inet6 fe80::a85a:c203:e2e:3f3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:d3:a0 txqueuelen 1000 (Ethernet)
RX packets 27 bytes 5649 (5.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 89 bytes 9710 (9.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
...//省略部分内容...
This time we come in root
to give the user siti
add authorized users entry
[root@localhost ~]# vim /etc/sudoers
...//省略部分内容...
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
#ar groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
siti localhost = /sbin/ifconfig //输入授权记录,注意:命令路径要写全
## Command Aliases
...//省略部分内容...
## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
@ @
:w! //强制保存,在输入:q退出
When it is finished log off the system, with a siti
user login, use sudo
mention the right to change the IP address again, see if you can change.
[siti@localhost ~]$ sudo ifconfig ens33 192.168.144.138 //使用sudo命令提权执行命令
[sudo] siti 的密码:
[siti@localhost ~]$ ifconfig //查看IP是否更改
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.144.138 netmask 255.255.255.0 broadcast 192.168.144.255
inet6 fe80::a85a:c203:e2e:3f3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:d3:a0 txqueuelen 1000 (Ethernet)
RX packets 445 bytes 39033 (38.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
...//省略部分内容... //IP地址已更改
5, safety control switch
-
Adjust the BIOS boot settings
- The first priority boot device set to the current system where the disk.
- Other equipment is prohibited guidance system, corresponding to the setting item
“Disabled”
. - The BIOS security level change
“setup”
, and set up the administrative password to prevent unauthorized modifications.
- Change the GRUB boot parameters limit
- Use
grub2-mkpasswd-pbkdf2
to generate the key - Modify the
/etc/grub.d/00_header
file, add password records - Generate a new
grud.cfg
configuration file
- Use
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak //备份配置文件
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak //备份配置文件
[root@localhost ~]# grub2-mkpasswd-pbkdf2 //制作grub的哈希密码
输入口令: //输入密码
Reenter password: //再次输入确认密码
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.DFD8DA01D53B3B06F6023E9FF1D2C293B897FB5240235A28FD2B3633E53AEFA3920E8F04F59054995C305A00BE0EAC51381199F61351D3B75522B0D8FF9024E6.FB8C7B18FB79AC3AD20C1D5F580791DAB4C63A31DAD407E4F35DD2CBBA9C3AA6305B4B9DFBEC8743ECE211EBBC1ECD9E62241D80936E3602B17C1E1DA145394B //生成的哈希密码,复制PBKDF2 hash of your password is后面的部分
[root@localhost ~]# vim /etc/grub.d/00_header //编辑grub的头部配置文件
...//省略部分内容...
echo "play ${GRUB_INIT_TUNE}"
fi
if [ "x${GRUB_BADRAM}" != "x" ] ; then
echo "badram ${GRUB_BADRAM}"
fi
cat << EOF //添加条目,设置grub密码
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.DFD8DA01D53B3B06F6023E9FF1D2C293B897FB5240235A28FD2B3633E53AEFA3920E8F04F59054995C305A00BE0EAC51381199F61351D3B75522B0D8FF9024E6.FB8C7B18FB79AC3AD20C1D5F580791DAB4C63A31DAD407E4F35DD2CBBA9C3AA6305B4B9DFBEC8743ECE211EBBC1ECD9E62241D80936E3602B17C1E1DA145394B
~
:wq //完成后保存退出
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg //从新制作grub配置文件
Generating grub configuration file ...
/etc/grub.d/00_header: line 362: warning: here-document at line 359 delimited by end-of-file (wanted `EOF')
Found linux image: /boot/vmlinuz-3.10.0-693.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-693.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-53d38298b286406e9641157795cda5db
Found initrd image: /boot/initramfs-0-rescue-53d38298b286406e9641157795cda5db.img
done //配置完成
[root@localhost ~]# init 6 //重启系统
6, prohibit root logins
In the Linux
system, the login
program reads the /etc/securetty
file to decide to allow root
user login system from which the terminal (safety terminal). To ban root
a user, you can simply delete or comment out the line from the corresponding file from the specified terminal login. To prevent root
users from tty5
, tty6 login, you can modify the /etc/securetty
file to tty5
, tty6
comment out the line.
[root@localhost ~]# vim /etc/securetty
...//省略部分内容...
tty4
#tty5
#tty6
tty7
...//省略部分内容...
~
:wq
Detecting weak passwords
In the Internet
environment, too simple password is the biggest risk facing the server. Although we all know that setting a longer, more complex passwords are more secure, but will always be some users because the sake of convenience and simple, easy to remember the password string. For any administrator bear responsibility for security in a timely manner to identify these weak password account is necessary, it is easy to take further security measures.
1, the installation software detects weak passwords john
My john
installation package in my host by way of file-sharing allows virtual machine Linux
system to find the john
package, and install and use.
[root@localhost ~]# smbclient -L //192.168.144.128/ //查看宿主机共享信息
Enter SAMBA\root's password: //我共享的主机没有设置密码,直接回车
OS=[Windows 10 Enterprise 10240] Server=[Windows 10 Enterprise 6.3]
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk 远程管理
C$ Disk 默认共享
IPC$ IPC 远程 IPC
share Disk //john软件包存放位置
Users Disk
Connection to 192.168.144.128 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
[root@localhost ~]# mount.cifs //192.168.144.128/share /mnt/tast //将目录挂载到本地目录中
Password for root@//192.168.144.128/share: //回车
[root@localhost ~]# df -h
文件系统 容量 已用 可用 已用% 挂载点
/dev/sda2 20G 3.6G 17G 18% /
devtmpfs 898M 0 898M 0% /dev
tmpfs 912M 0 912M 0% /dev/shm
tmpfs 912M 9.0M 903M 1% /run
tmpfs 912M 0 912M 0% /sys/fs/cgroup
/dev/sda5 10G 37M 10G 1% /home
/dev/sda1 6.0G 174M 5.9G 3% /boot
tmpfs 183M 12K 183M 1% /run/user/42
tmpfs 183M 0 183M 0% /run/user/0
//192.168.144.128/share 60G 11G 50G 18% /mnt/tast //成功挂载
[root@localhost ~]# cd /mnt/tast //到挂载的目录下查看
[root@localhost tast]# ls
john-1.8.0.tar.gz //john软甲包
[root@localhost tast]# tar zxvf john-1.8.0.tar.gz -C /mnt //将软件包解压到mnt目录下
john-1.8.0/README
john-1.8.0/doc/CHANGES
john-1.8.0/doc/CONFIG
john-1.8.0/doc/CONTACT
...//省略部分内容...
[root@localhost tast]# cd .. //回到mnt目录
[root@localhost mnt]# ls //查看
john-1.8.0 tast //显示解压的软件包
[root@localhost mnt]# cd john-1.8.0/ //进入软件包查看信息
[root@localhost john-1.8.0]# ls
doc README run src
[root@localhost john-1.8.0]# cd run
[root@localhost run]# ls //进入run目录查看可执行文件,这个时候是没有可执行文件的,需要我们自己来配置
ascii.chr digits.chr john.conf lm_ascii.chr mailer makechr password.lst relbench
[root@localhost run]# yum install gcc gcc-c++ //安装源码包,来配置john执行文件
已加载插件:fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
Loading mirror speeds from cached hostfile
* base: .ustc.edu.cn
* extras: mirrors.cn99.com
* updates: mirrors.163.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 gcc.x86_64.0.4.8.5-36.el7_6.2 将被 安装
--> 正在处理依赖关系 libgomp = 4.8.5-36.el7_6.2,它被软件包 gcc-4.8.5-3
...//省略部分内容...
[root@localhost run]# cd .. //回到上一层目录
[root@localhost john-1.8.0]# ls //查看
doc README run src
[root@localhost john-1.8.0]# cd src //进入源码包
[root@localhost src]# ls //查看是否有源码信息
AFS_fmt.c charset.h DES_std.c john.asm MD5_fmt.c pa-risc.h signals.c unshadow.c
alpha.h common.c DES_std.h john.c MD5_std.c path.c signals.h vax.h
alpha.S common.h detect.c john.com MD5_std.h path.h single.c wordlist.c
batch.c compiler.c dummy.c john.h memory.c ppc32alt.h single.h wordlist.h
...//省略部分内容...
[root@localhost src]# make linux-x86-64 //在源码包目录下直接编译
ln -sf x86-64.h arch.h
make ../run/john ../run/unshadow ../run/unafs ../run/unique \
JOHN_OBJS="DES_fmt.o DES_std.o DES_bs.o DES_bs_b.o BSDI_fmt.o MD5_fmt.o MD5_std.o BF_fmt.o BF_std.o AFS_fmt.o LM_fmt.o trip_fmt.o dummy.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o crc32.o external.o formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o options.o params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o unshadow.o unafs.o unique.o c3_fmt.o x86-64.o" \
CFLAGS="-c -Wall -Wdeclaration-after-statement -O2 -fomit-frame-pointer -DHAVE_CRYPT" \
LDFLAGS="-s -lcrypt"
make[1]: 进入目录“/mnt/john-1.8.0/src”
gcc -c -Wall -Wdeclaration-after-statement -O2 -fomit-frame-pointer -DHAVE_CRYPT -funroll-loops DES_fmt.c
...//省略部分内容...
rm -f ../run/unshadow
ln -s john ../run/unshadow
rm -f ../run/unafs
ln -s john ../run/unafs
rm -f ../run/unique
ln -s john ../run/unique
make[1]: 离开目录“/mnt/john-1.8.0/src” //编译完成
[root@localhost src]# cd /mnt/john-1.8.0/run/ //进入run目录
[root@localhost run]# ls //查看可执行脚本文件是否出现
ascii.chr john lm_ascii.chr makechr relbench unique
digits.chr john.conf mailer password.lst unafs unshadow
//目录下成功编译出john执行脚本文件,这样就成功完成了john的安装
2, the software detects weak password using john
[root@localhost ~]# cd /mnt/john-1.8.0/run //进入run目录
[root@localhost run]# ls //查看执行确定可执行脚本
ascii.chr john lm_ascii.chr makechr relbench unique
digits.chr john.conf mailer password.lst unafs unshadow
[root@localhost run]# ./john /etc/shadow //执行john软件检查用户密码存放目录shadow目录
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
123123 (root) //成功检测出用户弱口令密码
123123 (sun)
2g 0:00:00:15 100% 2/3 0.1332g/s 420.1p/s 452.0c/s 452.0C/s leslie..boston
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Network port scanning
Using the nmap
Ports tool to detect network connection, you can find the network uncontrollable application services, promptly shut down unsafe services,
reducing the security risks.
1, the installation tool nmap
[root@localhost run]# yum install nmap -y //可以直接用yum安装工具就可以了
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* extras: centos.ustc.edu.cn
* updates: centos.ustc.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 nmap.x86_64.2.6.40-16.el7 将被 安装
--> 正在处理依赖关系 nmap-ncat = 2:6.40-16.el7,它被软件包 2:nmap-6.40-16.el7.x86_64 需要
--> 正在检查事务
...//省略部分内容...
2, is to use your tools to detect nmap network port
-
Command Format
nmap [扫描类型] [选项] <扫描目标...>
-
Common types of scans
-sS
:TCP SYN
Scanning, issued only to the targetSYN
packet, if the receivedSYN/ACK
response packet is considered the target port is listening, and disconnect immediately; otherwise think the destination port is not open.-sT
:TCP
Connect scan, which is the completeTCP
scan mode, used to establish aTCP
connection, it is considered successful if the target port is listening service, or that the target port is not open.-sF
:TCP FIN
Scanning, open ports ignore this data packet, closed port will respond toRST
the packet.-sU
:UDP
Scan: probe target hosts which provideUDP
services,UDP
scanning speed will be slower.-sP
:ICMP
Scan: Similarping
detection, quickly determine the target host is alive, do not do other scans.-P0
: Skipping
detection: in this way that all target host is alive, and when they do not respond toICMP
a request, can be avoided by using this method can not ping give up scanning.
[root@localhost run]# nmap -sT 127.0.0.1 //检测本地开放的TCP端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-02 03:19 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00082s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
[root@localhost run]# nmap -sU 127.0.0.1 //检测本地开放的TCP端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-02 03:21 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000049s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 48.95 seconds
[root@localhost run]# nmap -sP 192.168.31.12 //检测地址主机是否存活
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-02 03:24 CST
Nmap scan report for 192.168.31.12
Host is up (0.00067s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
[root@localhost run]# nmap -sT 192.168.31.12 //检测目标地址主机开放的TCP端口
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-02 03:30 CST
Nmap scan report for 192.168.31.12
Host is up (0.0019s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
Nmap done: 1 IP address (1 host up) scanned in 9.32 seconds
thanks for reading.