Security 01:linux Basic protection, user Switching and empowerment, SSH access control, summary and troubleshooting

Linux security and monitoring 6 days
Linux Security 3 days
Linux Monitoring 3 days
+++++++++++++++++++++++++
What's safe? Protect and maintain servers from attack and destruction

Means of attack and sabotage?
Technical
Non-Technical: Designation of regulations and workflows

A technical attack:
Local Security:

Network security: Firewalls
(software firewall Firewalld iptables)
RHEL7 RHEL6

             (硬件防火墙  独立的物理设备)             sshd服务的配置 *（密钥对认证登录）

Data security: What attacks can data be transmitted over the network?
Tampering with digital signatures (non-repudiation)
Encryption

Linux Security Day01
Local Security:
1 User management:
Related commands and command options
Useradd-u-g-g-S user name
Useradd-s/sbin/nologin Jim (user as the performer of the process)

#useradd Tom.

echo 123456 | passwd--stdin Tom

Usermod-l-u-u-g-g-S user name
Userdel-r User Name
Passwd-s-l-u User Name
Chage-l-D-E User Name
#chage-L Tom
#chage-D 0 Tom

Chage-e 2018/01/31 Jim

ID User Name
#id Jim

Related configuration Files
/etc/passwd
#grep tom/etc/passwd

/etc/shadow
#grep Tom/etc/shadow

/etc/login.defs

Grep-v ' ^# '/etc/login.defs

#ls/etc/skel/-A//user system environment template file
+++++++++++++++++++++++++++++++++++++++
Hides kernel and operating system information. (Modify file contents)
Log on Locally
[Email protected] ~]# cat/etc/issue
\s
Kernel \ r on an \m
[Email protected] ~]#

Network connection
[Email protected] ~]# cat/etc/issue.net
\s
Kernel \ r on an \m
[Email protected] ~]#
++++++++++++++++++++++++++++++++
File system security:
Modify the number of entries for the record History command by default 1000
[Email protected] ~]# grep-n 1000/etc/profile
45:histsize=1000
[Email protected] ~]#
[Email protected] ~]# sed-i ' 45s/1000/500/'/etc/profile
[Email protected] ~]# grep-n 500/etc/profile
45:histsize=500
[Email protected] ~]# echo $HISTSIZE
1000
[Email protected] ~]# Source/etc/profile
[Email protected] ~]# echo $HISTSIZE
500
[[email protected] ~]# ls ~/.bash_history
/root/.bash_history
[Email protected] ~]# vim ~/.bash_history

Record the time the history command was executed Histtimeformat
#HISTTIMEFORMAT = '%F%T '
[Email protected] ~]# history

#vim/etc/profile
....
Export histtimeformat= '%F%T '
: Wq

Program and Service control (no need to set the service to start)
Rhel7:systemctl Disable service Name
Systemctl Disable FIREWALLD

Rhel6:chkconfig Service Name off
Ntsysv
ls/etc/init.d/Storing script files
#chmod o-x/etc/init.d/* Revoke execution permissions for scripts from other services

File System and Mount:
What is your zoning plan when installing the operating system?
/root partition does not have data allocated separately for storage, all stored under the root (required)
/home Recommended separate partitioning (LV)
/var recommended separate partitioning (LV) PV VG LV

The/boot boot partition holds the boot file at system startup (optional)
Swap swap partition from physical disk (optional)

Formatted file system type: EXT2/3/4 Xfs/proc

Mount Mode:
Command line mount mount-t file system type option partition name Directory name
Boot auto Mount/etc/fstab defaults default mount
Trigger Mount AutoFS Service

Defaults which mounts are included in the default mount?
#man Mount Search Defaults
Defaults
Use default OPTIONS:RW, suid, Dev, exec, auto,
Nouser, and Async.

Suid files that allow suid and Sgid permissions to be executed under Mount directories
exec allows binary files to be executed under Mount directory

Fdisk/dev/vdb
Fdisk-l/dev/vdb
Blkid/dev/vdb1
Mkfs.ext4/dev/vdb1
Blkid/dev/vdb1
Mkdir/disk1
Mount-t Ext4/dev/vdb1/disk1
Cp/usr/sbin/useradd/disk1
chmod O+x/disk1/useradd
chmod U+s/disk1/useradd

Nosuid do not allow files that perform suid and Sgid permissions in the Mount directory
NOEXEC does not allow binary files to be executed under Mount directory

#cd/
#umount/disk1
#mount-T Ext4-o nosuid,noexec/dev/vdb1/disk1
++++++++++++++++++++++++
Add special properties to files (locking unlock) System File Profile Service profile
I do not have move edit delete permission to file
A can only edit files with additional access
View Lsattr file names
Add chattr + Property file name
Delete chattr-Property file name
+++++++++++++++++++++++++++++++++++++++++
User Switching
Normal user----------> Root to enter the other's password
Normal User <-----------root does not enter the other password
Normal User <-----------> Normal user to enter the other's password

#su//Switch root user
#su-The user's environment is switched to both the user's identity and the user's
#su user//switch to User's identity only, does not switch user's environment

#su-C "command" user//switch to user status and Execute command
[[email protected] ~]$ Su-C "Touch/root/a.txt" root

++++++++++++++++++++++++++++++++++++++++++
User power: The system root user allows the normal user of the system to execute commands that they can use.
Useradd WebAdmin----> httpd
Useradd dbadmin----> mysqld

echo 123456 | passwd--stdin WebAdmin
echo 123456 | passwd--stdin Dbadmin

/etc/sudoers Rights configuration file

Username hostname table = Command list//give individual user rights
% User group Hostname table = Command list//give user group the right to withdraw

* Command List command, must write the absolute path of the command
#which command name
#which Systemctl

#vim/etc/sudoers

#webadmin localhost, host50=/usr/bin/systemctl * httpd,/usr/bin/vim/etc/httpd/conf/httpd.conf, Nopasswd:all

Mike Localhost,host50=/sbin/*,!/sbin/ifconfig eth0
: wq!

%WEBGRP localhost, host50=/usr/bin/systemctl * httpd,/usr/bin/vim/etc/httpd/conf/httpd.conf

#useradd Mike.
#echo 123456 | passwd--stdin Mike
#groupadd WEBGRP
#useradd webadmin2
#echo 123456 | passwd--stdin webadmin2
#usermod-G Webgrp WebAdmin
#usermod-G webgrp webadmin2

Use aliases when lifting (alias names must be in uppercase letters)
Define user aliases
User_alias Alias name = List of user names
User_alias httpusers = Webamdin, webadmin2

Define host aliases
Host_alias Alias name = List of host names
Host_alias Mypc=localhost, Host50

Defining command aliases
Cmnd_alias Alias name = Command List
Cmnd_alias software =/bin/rpm,/usr/bin/up2date,/usr/bin/yum

+++++++++++++++++++++++
Use aliases to raise weights
User alias name Host alias = command alias name

Httpusers Mypc=software,/usr/bin/systemctl * httpd,/usr/bin/vim/etc/httpd/conf/httpd.conf
+++++++++++++++++++++++++++++++
Enable logging the user has executed the command
Vim/etc/sudoers
Defaults logfile= "/var/log/sudo"
: Wq

#cat/var/log/sudo (The system automatically creates this file if the user has executed a power-over command)
++++++++++++++++++++++++++
Normal use of the test to raise the right?
To view the right-to-use command: sudo-l
Executive power of command: sudo command

++++++++++++++++++++++++++++++++++++++++++
SSH Service access control:

• After the service starts,
  All client access is allowed by default,
  Default login authentication method: Password Authentication login.
  [[Email protected] ~] #systemctl sshd Start
  [Email protected] ~]# Netstat-utnalp | grep sshd
  TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1412/sshd

Set parameters for service run

Vim/etc/ssh/sshd_config

Port 22022
ListenAddress 192.168.4.50

Configure White list: Only users in the whitelist list can access
Allowusers username 1 User name [email protected] Client address
Allowgroups user Group name 1 user group name 2

Vim/etc/ssh/sshd_config
Allowusers Jerry [email protected]

Configure blacklist: Only users in the blacklist list are not allowed to access
Denyusers username 1 User name [email protected] Client address
Denygroups user Group name 1 user group name 2

Vim/etc/ssh/sshd_config
Denyusers Bob

++++++++++++++++++++++++++++++++
Configure the SSH service to allow only key pair authentication logins
Public Key Cryptography
Private key decryption

Client 254:
1 Creating a key pair: LS ~/.ssh/
[[Email protected] ~] #rm-RF ~/.ssh
[[Email protected] ~] #ssh-keygen//create key pair
[[email protected] ~]# ls ~/.ssh/
Id_rsa id_rsa.pub

SSH Server 50
#rm-RF ~/.ssh

Client 254: Pass the public key to the SSH server

Ssh-copy-id [email protected]//upload key pair

SSH Server 50
[[email protected] ~]# ls ~/.ssh
Authorized_keys

SSH Server 50 Disable password Authentication login
Vim/etc/ssh/sshd_config
Bayi passwordauthentication No//disable password Authentication login
: Wq
#systemctl Restart sshd

Client 254: Test key pair Authentication Login
#ssh [email protected]//Do not enter a password to connect directly
#ssh [email protected]//no connection allowed

++++++++++++++++++++++++++++++++
Connect the SSH server to the client
SSH user name @ssh_ip//22 Port of the default connection destination server
Ssh-x-P port number user name @ssh_ip//Connection destination server specify port number
-X to display the graphical interface

++++++++++++++++++++++++++++++++++++++++++
Writing a script/root/autoadduser.sh
Function: Batch add system users, the specific requirements are as follows:
When you execute a script, you can customize the number of users to add only 1 users by default if no number is specified. User password and user name are the same, forcing users to log on the system must modify the login password. After the user adds, the Readme.txt file is created automatically in the user's home directory. When adding a user, if the user already exists in the system to give the prompt message: (Jim already exists).

Security 01:linux Basic protection, user Switching and empowerment, SSH access control, summary and troubleshooting