Linux Security Applications 2

[[Email protected] Desktop]# service NetworkManager stop

[[Email protected] Desktop]# chkconfig NetworkManager off

[[Email protected] Desktop]# Setup

[[Email protected] Desktop]# vim/etc/udev/rules.d/70-persistent-net.rules

[Email protected] Desktop]# MODPROBE-RV e1000

[Email protected] Desktop]# modprobe-v e1000

[[Email protected] Desktop]# Vim/etc/sysconfig/network-scripts/ifcfg-eth0

[[email protected] desktop] #service network restart

[[Email protected] Desktop]# Setenforce 0

[Email protected] ssh]# Vim/etc/selinux/config

Selinux=disabled

: Wq

Ssh-x 192.168.1.1//plus X can open the System-network-date graphical interface on a remote server and display it locally

SSH 192.168.10.1 ' useradd bob '//After the IP address command, directly execute the command without logging on to the remote server

Ping6:: 1//Spell IPv6 local loopback

Ping 127.0.0.1//spell IPv4 local loopback

NETSTAT-TUNLP | Nore//See what port numbers are listening for TCP

::: 111//: The colon is followed by 111 for the port number, and the preceding two colons represent the IPv6 arbitrary address

/ETC/SSH configuration file

Ssh_config Client Configuration file

Sshd_config Server-side software

Vim/etc/ssh/sshd_config

Port 3389 //Port number

Protocol2 2//version

ListenAddress 192.168.168.174//End-of-IP address, 0.0.0.0 represents all IP addresses

Permitrootlogin no//Do not allow root user login

Permitemptypasswords no//null password not allowed

Usedns no//Do not look up DNS, do not find the name of the IP pair

Logingracetime 2m//landing page two minutes without moving, automatic disconnection

Strictmodes Yes

Maxauthtries 6//maximum authentication attempt 6 times

: Wq

Man ssh//check SSH command Help

Man 5 sshd_config//Check configuration file with Help, do not add path

ssh-p 3389 192.168.10.3//Connect SSH via port number 3389

SSHL Black and white list settings

Configuration file/etc/ssh/sshd_config

From the top down

1. Denyusers USER1 USER2 ...

2. Allowusers [email protected] USER2 ...

3. denygroups GROUP1 GROUP2 ...

4. allowgroups GROUP1 GROUP2 ...

Cases:

Vim/etc/ssh/sshd_config

Allowusers Tom [email protected]//Allow Tom user to log in, allow the root user to login on the 192.168.10.5 host, other hosts not allowed, the default is not allowed to login

: Wq

rsync httpd-2.2.25.tar.gz [Email Protected]:/home/demo

SCP httpd. tar.gz [Email Protected]:/home/demo

Encryption technology

One. Encryption method

1. Symmetric encryption: Encryption and decryption use the same key. Algorithm: Des/3des/aes. Advantages, high encryption efficiency, disadvantages,

The transfer and storage of keys is not convenient.

2. Asymmetric encryption: Public key encryption, private key decryption. Algorithm: RSA. Advantages, key transfer storage is convenient. Disadvantages

Low encryption efficiency

3. One-way encryption: Encryption can only be done in one direction and cannot be pushed back. Hash algorithm. MD5, SHA

[Email protected] ssh]# MD5SUM/ETC/PASSWD

[[email protected] ssh]# SHA---knocking Tab health

Sha1sum sha224sum sha256sum sha384sum sha512sum sharesec

[[email protected] ssh]# SHA512SUM/ETC/PASSWD//The larger the number the longer the key

Bob:$6$xa/cy//6 represents sha512 encryption

Bob:$1$xa/cy//1 represents MD5 encryption

Enables SSH to be connected without a password

I. Generating a key pair

# Ssh-keygen, follow all return, first enter to modify key name, second and third return to modify key password

/root/.ssh/id_rsa//Key pair storage location

Two. Upload the public key to the server root user

# ssh-copy-id-i [email protected] Server IP address

# ssh-copy-id-i [email protected]

/root/.ssh/id_rsa private Key

/root/.ssh/id_pub Public Key

/root/known_hosts Saved Password information

Cd/etc/ssh

RM-RF ssh_host*

Service sshd Restart

SSH 192.168.1.2//Login not

Then you can log in by deleting the known_hosts.

RM-RF known_hosts

SSH 192.168.1.2//Login Successful

[email protected]. ssh]# ls

Id_rsa id_rsa.pub known_hosts

[email protected]. ssh]# rm-f id*

[email protected]. ssh]# Ssh-keygen//Regenerate key

[email protected]. ssh]# Ssh-add//Perform this step to connect remotely without entering the key

Could not open a connection to your authentication agent.

[[email protected]. SSH] #eval ' ssh-agent '//If the Ssh-add fails, perform this step

Agent PID 5267

[email protected]. ssh]# Ssh-add ~/.ssh/rsa//If Ssh-add fails, perform this step

/root/.ssh/rsa:no such file or directory

[email protected]. ssh]# Ssh-add

Enter Passphrase For/root/.ssh/id_rsa:

Identity added:/root/.ssh/id_rsa (/ROOT/.SSH/ID_RSA)

[email protected]. ssh]# Ssh-keygen

Yum List | grep wire//Search and grab Bag tool

Yum-y Install Wireshark wireshark-gnome//MOUNTING clutch KIT

Application-internet-wireshark//Open grab Bag tool

Two. Authentication of SSH encryption and authentication

1. When the client SSH to the server for the first time, the server sends his key information. The client cannot determine the secret

The key is the real server, so you will be prompted to trust the key on the screen. After the user has entered Yes,

can continue.

2. On the server side

# rm-f/etc/ssh/ssh_host_*

# Service Sshd Restart

3. The client connects to the server again because the service's key is regenerated, and the client locally stored server key

The key information sent by this session server is inconsistent, so the client rejects the connection.

4. Client re-trust key

# RM ~/ssh/known_hosts

# SSH Server

Three. Generate an SSH key, protect the private key with a password

1. The client generates a key pair.

# Ssh-keygen, when prompted to enter passphrase, enter the password, which is the password to protect the private key

2. Uploading to a public key server

# ssh-copy-id-i Server IP

3. Connection test

# SSH server IP prompt for password, this password is the password to protect the private key, not the server's password

4. Host the private key password to the agent

# Ssh-add

5. SSH server again, you do not need to enter any password.

Four. Carrier of the certificate---algorithm

1.CA Certification Authority

Five. TCP WRAPPERS

1. A unified protection strategy

Multiple TCP services are shared for increased efficiency

2. Check whether the service supports TCP wrappers protection

[[Email protected] Desktop]# ldd ' which sshd vsftpd ' | grep Wrap

libwrap.so.0 =/lib64/libwrap.so.0 (0x00007f274758c000)

libwrap.so.0 =/lib64/libwrap.so.0 (0x00007fb676477000)

3. Protection rules are stored in

/etc/hosts.allow

/etc/hosts.deny

Policy Application Law

Check the Hosts.allow first, and a match will allow

Otherwise, check the Hosts.deny, and the horse will refuse.

If there are no matches in both files, the default is to allow

4. Format of the Rules

Service List: Client list

About client Addresses

Can I use a wildcard character? and

Network segment address, such as 192.168.4

or 192.168.4.0/255.255.255.0.

An area address, such as. wsyht.com

5. Example:

Allow only the following clients to access VSFTPD

Network Segment 192.168.4.0/24

IP range: 192.168.7.1-192.168.7.20

# RPM-QL Telnet-server//view his service name

# Vim/etc/hosts.allow

vsftpd:192.168.4.*,192.168.7.?,192.168.7.1?,192.168.7.20

sshd:192.168.1.3

in.telnetd:192.168.1.3

# Vim/etc/hosts.deny

# Vsftpd:all

Five. AAA

Authentication: Identity Authentication-who are you?

Authorization: Authorization , what can you do?

Audit: Audit , what did you do?

Six. Pam Pluggable identity authentication module

1. configuration file:/etc/pam.d/

2. The contents of the configuration file (select one line below):

Accountrequiredpam_nologin.so

The first column is the authentication type, and the available options are:

Accout: Performs a user-managed, non-authenticated behavior operation, typically restricting the user's login time and available system resources

Auth: This module provides two aspects of Zang card users. First it authenticates the user who he claims to be (for example, with a password), and secondly,

It assigns a spear user group membership or other permissions.

Password: This module is required when the user modifies the

Session: What to do before or after certain services are assigned to the spear user. For example, a user performs a write log operation when accessing data.

The second column is the control mode, and the available options are

Required: The check result fails and will eventually fail, but it is still checked for follow-up.

Sufficient: The check succeeds, passes immediately, and no longer checks for subsequent entries. If the item check fails, it does not mean that it will eventually fail.

Optional: Optional

Include: Contains the contents of another file

The third column is the called module, which is located under/lib64/security

/var/log/secure Security log File

3. Example one: Only members of the Whell group can be switched to the root user

# VIM/ETC/PAM.D/SU Open Auth required comments on this line

Log in as Tom, perform Su-operation, even if you enter the correct password, you can not login

# Usermod-ag Wheel Tom, add Tom to wheel Group A, append, G attach

Perform the Su-operation again, Tom can switch to the root user

4. Example two: Prohibit Tom from landing in Tty2

# Vim/etc/pam.d/login Join the following line

Accountrequiredpam_access.so

# vim/etc/security/access.conf Tail increment, cannot append in last line

-: Tom:tty2//-means to cancel

5. Example three: Only Tom users are allowed to open two files

View/etc/pam.d/system-auth included in

Sessionrequiredpam_limits.so tail Add

# vim/etc/security/limits.conf Tail Increase

Tomhardnofile 2

Whether it's switching to Tom or logging on as Tom, it's forbidden.

6. Example Four. Create a file/etc/vsftpd/ftpgrps, the group in the file cannot access the FTP

# Groupadd Denyftp

# Usermod-ag Denyftp Tom

# echo ' denyftp ' >/etc/vsftpd/ftpgrps

# vim/etc/pam.d/vsftpd Tail Increase

Auth requiredpam_listfile.so item=group Sense=deny

File=/etc/vsftpd/ftpgrps Onerr=succeed

Verification, Tom Login ftp, login unsuccessful, check/var/log/secure log

7. Example five, set user password minimum length is 9 bits

# Vim/etc/pam.d/system-auth

Password requisite pam_cracklib.so try_first_pass retry=3 minlen=9

Dcredit=0 ucredit=0 lcredit=0 ocredit=0

This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790277

Linux Security Application 2