Although Linux is a multi-user system like Windows NT/2000, there are many important differences between them. For many administrators who are used to windows, there are many new challenges to ensure the security and reliability of the Linux operating system. This article focuses on Linux system security commands.
Passwd
1. Role
The passwd command is used to change the logon password of an account. The permission is granted to all users.
2. Format
Passwd [Option] account name
3. Main Parameters
-L: the name of the named account is locked and can only be used by users with super user permissions.
-U: Unlock the account lock status. Only users with Super User Permissions can use it.
-X, -- maximum = days: Maximum Password usage time (days). Only users with Super User Permissions can use it.
-N, -- Minimum = days: Minimum Password usage time (days). Only users with Super User Permissions can use the password.
-D: Delete the user's password. Only users with Super User Permissions can use it.
-S: Check the password authentication type of a specified user. Only users with Super User Permissions can use the password.
4. Application Instance
$ Passwd
Changing password for user Cao.
Changing password for Cao
(Current) UNIX password:
New UNIX password:
Retype new Unix Password:
Passwd: All authentication tokens updated successfully.
As you can see above, the passwd command requires entering the old password and then entering the new password twice.
Su
1. Role
Su is used to change the identity of another user. Except for a Super User, you need to enter the user's password.
2. Format
Su [Option]... [-] [user [Arg]...]
3. Main Parameters
-F, -- fast: does not need to read the Startup File (such as CSH. cshrc). It is only used for CSH or tcsh shells.
-L, -- login: After this parameter is added, it is like re-logging into the user. Most environment variables (such as home, shell, and user) are based on this user) and the working directory will change. If no user is specified, the default value is root.
-M,-P, -- preserve-environment: the environment variable is not changed when Su is executed.
-C command: the user who changed the account to user, and then changed it back to the original user after executing the command.
.
User: user account to be changed. Arg is used to input new shell parameters.
4. Application Instance
Change the account to a Super User, and restore the user after executing the DF command. Su-c df Root
Umask
1. Role
Umask sets the default blocking value for creating files in User Files And Directories. If you place this command in the profile file, you can control the access permission for subsequent files created by the user. It tells the system not to grant access permission to anyone when creating a file. The permission is granted to all users.
2. Format
Umask [-p] [-S] [mode]
3. Parameters
-S: determines the current umask settings.
-P: Modify umask settings.
[Mode]: Modify the value.
4. Description
The umask value of traditional UNIX is 022, which prevents other users in the same group and users in other groups from modifying the user's files. Since each user has a private group, this "group protection mode" is not needed. Strict permission settings constitute the foundation of Linux security, and making mistakes in permissions is fatal. Note that the umask command is used to set the read and write permissions of the files created by the process. The safest value is 0077, that is, to disable the read and write permissions of all processes other than the process where the files are created, -RW -------. In ~ /. In bash_profile, the umask 0077 command can be added to ensure that the umask permission of the process can be correctly set after each shell startup.
5. Application Instance
Umask-S
U = rwx, G = RX, O = RX
Umask-P 177
Umask-S
U = RW, G =, O =
The preceding five-line command first shows the current status, and then changes the umask value to 177. Only the file owner has the permission to read and write the file, and other users cannot access the file. This is obviously a very safe setting.
Chgrp
1. Role
Chgrp indicates the group to which one or more files or directories belong. The permission is a Super User.
2. Format
Chgrp [Option]... group file...
Or
Chgrp [Option]... -- reference = reference file...
Set the group to which each <File> belongs.
3. Parameters
-C, -- Changes: Like -- verbose, but the result is displayed only when there is a change.
-- Dereference: affects the objects indicated by the symbolic link, rather than the symbolic link itself.
-H, -- no-dereference: affects the symbolic link itself, rather than the destination indicated by the symbolic link (this option is valid only when the system supports changing the owner of the symbolic link ).
-F, -- silent, -- Quiet: removes most error messages.
-- Reference = reference file: Use the group to which the <reference File> belongs, rather than the specified <group>.
-R, -- Recursive: recursively processes all files and subdirectories.
-V, -- verbose: displays information when processing any file.
4. Application description
This command changes the user group to which the specified file belongs. The Group can be either the user group ID or the group name of the user group in the/etc/group file. A file name is a list of files separated by spaces to change the group. Wildcards are supported. If the user is not the owner or super user of the file, the file group cannot be changed.
5. Application Instance
Change the owner group of all files in/opt/local/book/and its subdirectories to book. The command is as follows:
$ Chgrp-r book/opt/local/book
Chmod
1. Role
The chmod command is very important. It is used to change the access permissions of files or directories. You can use it to control the access permissions of files or directories.
2. Format
The chmod command can be used in two ways. One is the character setting method that contains letters and operator expressions (relative permission setting), and the other is the number setting method that contains numbers (absolute permission setting ).
(1) character setting method
Chmod [who] [+ |-| =] [mode] File Name
◆ The operation object who can be any one of the following letters or their combination
U: indicates the user, that is, the owner of the file or directory.
G: Indicates users in the same group, that is, all users with the same group ID as the file owner.
O: other users.
A: All users. It is the default value.
◆ Operation symbol
+: Add a permission.
-: Cancel a permission.
=: Grant the given permission and cancel all other permissions (if any ).
◆ Set the mode permission to any combination of the following letters
R: readable.
W: writable.
X: executable.
X: append the X attribute only when the target file is executable to some users or the target file is a directory.
S: During File Execution, set the owner or group ID of the process to the file owner of the file. In the format of "U + S" to set the user ID of the file, and "G + S" to set the group ID.
T: Save the program text to the swap device.
U: The same permissions as the file owner.
G: users in the same group as the file owner have the same permissions.
O: The same permissions as other users.
File Name: list of files separated by spaces to change permissions. Wildcards are supported.
Multiple permission methods can be provided in a command line, separated by commas.
(2) number setting method
The general format of the number setting method is: chmod [mode] File Name
The numeric attribute should be in the format of three Octal numbers 0 to 7, in the order of (u) (g) (o) file names, separated by spaces to change the permission of the file list, wildcard characters are supported. The meaning of the permission indicated by a number is as follows:
0001 the execution permission of the owner;
0002 is the write permission of the owner;
0004 the read permission of the owner;
0010 is the execution permission of the group;
0020 is the write permission of the group;
0040 is the group's read permission;
0100 is the execution permission of others;
0200 is the write permission of others;
0400 is the read permission of others; 1000 is the position of the paste;
2000 indicates that if the file is an executable file, the Group ID is the location bit; otherwise, the file is locked;
4000 indicates that if the file is an executable file, the user ID is the location.
3. Instance
If a system administrator writes a table (TEM) for all users to enter, the user must be authorized to read and write the file. Run the command: # chmod 666 TEM
In the code above, how is the 666 number calculated? 0002 is the write permission of the owner, 0004 is the read permission of the owner, 0020 is the write permission of the group, 0040 is the read permission of the group, and 0200 is the write permission of others, 0400 is the read permission of other people. The total number of these six numbers is 666 (all the above numbers are octal). The result is shown in Figure 1.
Figure 1 use the CHMOD numeric method to set File Permissions
As shown in figure 1, the permission for the TEM file is-RW-, that is, the user has the Read and Write Permission for the file.
Use the following command to set the character permission:
# Chmod A = wx TEM
Chown
1. Role
Change the owner and group of one or more files or directories. The permission is a Super User.
2. Format
Chown [Option] user or group file
3. Main Parameters
-- Dereference: The objects indicated by symbolic links are affected, not the symbolic links themselves.
-H, -- no-dereference: affects the symbolic link itself, rather than the destination indicated by the symbolic link (this option is valid only when the system supports changing the owner of the symbolic link ).
-- From = Current Owner: the current group changes the owner and group only when the owner and group of each file meet the specified options. One of these attributes can be omitted. The omitted attributes do not need to conform to the original attributes.
-F, -- silent, -- Quiet: removes most error messages.
-R, -- Recursive: recursively processes all files and subdirectories.
-V, -- verbose: displays information when processing any file.
4. Description
Chown changes the owner of a specified file to a specified user or group. The user can be the user name or user ID, and the group can be the group name or group ID; files are separated by spaces to change the permission list. Wildcards are supported. The system administrator often uses the CHOWN command to grant the user the permission to use the file after copying the file to another user's directory.
.
5. Application Instance
1. Change the owner of the Shiyan. c file to Wan
$ Chown Wan Shiyan. c
2. Change the owner of the directory/Hi and all files and subdirectories to Wan and the group to users.
$ Chown-r Wan. Users/hi
Chattr
1. Role
Modify the attributes of the ext2 and ext3 file systems and use the permission superuser.
2. Format
Chattr [-RV] [-+ = aacddijssu] [-V version] file or directory
3. Main Parameters
-R: recursively processes all files and subdirectories.
-V: displays the modified content in detail and prints the output.
-: Invalid attribute.
+: Activation attribute.
=: Specifies the attribute.
A: atime: Tell the system not to modify the last access time of this file.
S: sync. Once the application writes the file, the system immediately writes the Modification result to the disk.
A: append only. The system only allows data to be appended to this file. No process is allowed to overwrite or intercept this file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files.
I: immutable. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify the files under the Directory and cannot create or delete files.
D: Check for errors in the compressed file.
D: No dump. During file system backup, the dump program ignores this file.
C: compress. The system compresses the file transparently. When reading from this file, the returned data is extracted. When writing data to this file, the data is first compressed before being written to the disk.
S: secure delete. The system will use 0 to fill in the region where the file is located when deleting the file.
U: undelete: When an application requests to delete this file, the system will keep its data block so that the file can be deleted in the future.
4. Description
The chattr command is very useful. Some of the functions are supported by the Linux kernel version. If the Linux kernel version is earlier than 2.2, many functions cannot be implemented. Similarly, if-D is used to check the wrong function in the compressed file, the kernel 2.5.19 or later is required. In addition, modifying attributes using the chattr command can improve system security, but it
Not all directories. The chattr command cannot protect the/,/dev,/tmp, And/var directories.
5. Application Instance
1. Restore the/root directory, that is, all files in the subdirectory.
# Chattr-R + U/root
2. Use the chattr command to prevent the modification of a key file in the system.
In Linux, some configuration files (passwd, fatab) cannot be modified by anyone. To prevent accidental deletion or modification, you can set "immutable" for the file )", the command is as follows:
# Chattr + I/etc/fstab
Sudo
1. Role
Sudo is a command in the configuration file, which is used by users within a limited period of time and recorded in the log. The permission is for all users.
2. Format
Sudo [-bhhpv] [-S <shell>] [-u <user>] [command]
Sudo [-klv]
3. Main Parameters
-B: execute commands in the background.
-H: displays help.
-H: Set the home environment variable as the home environment variable of the new identity.
-K: end the password's validity period, that is, you will need to enter the password next time.
-L: list the commands available to the current user.
-P: the prompt symbol for changing the query password.
-S <shell>: run the specified shell.
-U <user>: uses the specified user as the new identity. when not in use, the default value is root.
-V: The password is valid for 5 minutes.
4. Description
The sudo command is configured in the/etc/sudoers file. When using sudo, you need to enter a password to verify your identity. After a period of time, you can use the defined commands. When you use commands not found in the configuration file, there will be an alarm record. Sudo is a program used by the system administrator to allow some users to run some/all system commands as root. An obvious purpose is to enhance the security of the site. If you need to do some daily work as a Super User every day, you will often execute some fixed commands that can only be executed as a Super User, so sudo is very suitable.
PS
1. Role
PS displays the dynamics of the instantaneous process. The permission is applied to all users.
2. Format
PS [Options] [-- help]
3. Main Parameters
There are many PS parameters. Only a few common parameters are listed here.
-A: List all processes.
-L: displays the long list.
-M: displays memory information.
-W: Display widening can display more information.
-E: displays all processes.
A: displays all processes on the terminal, including those of other users.
-Au: displays more detailed information.
-Aux: displays all processes that contain other users.
4. Description
To monitor and control processes, you must first understand the current process, that is, you need to view the current process. Ps command is the most basic and powerful process view command. You can use this command to determine which processes are running, the running status, whether the processes are finished, whether the processes are botnets, and which processes are occupying excessive resources. Figure 2 illustrates the PS-Aux command. Most of the information can be obtained by executing this command. The three most common parameters are u, A, and X. The following three parameters are used to describe the role of the ps command: PS aux
Figure 2 PS-Aux command details
Figure 2 in the 2nd line of code, user indicates the process owner; PID indicates the process identifier; % CPU indicates the CPU usage; % mem indicates the physical memory usage; vsz indicates the virtual memory used; RSS indicates the physical memory used by the process; tty indicates the secondary device Number of the terminal.
Stat indicates the state of the process, where D is the static state that cannot be interrupted (I/O action); R is being executed; s is static; t is paused; Z does not exist, but it cannot be eliminated for the time being; W does not have enough memory to be allocated by page; high-priority processes; n low-priority processes; l memory is allocated by PAGE and locked in the memory (real-time system or I/O ). Start indicates the process start time. Time indicates the execution time. Command is the executed command.
4. Application Instance
During system maintenance, the memory usage is often astonishing, but you do not know which process occupies a large number of processes. In addition to using the TOP command to view memory usage, you can also use the following command:
PS aux | sort + 5N
Who
1. Role
Who displays which users log on to the system. The displayed information includes the user ID, logon terminal used, launch time, idle time, CPU usage, and what has been done. The permission is granted to all users.
2. Format
Who-[husfv] [user]
3. Main Parameters
-H: do not display the title column.
-U: Do Not Display User Actions/work.
-S: Display in short format.
-F: do not display the user's online location.
-V: displays the program version.
4. Description
This command is used to view the current online users. If you want to establish instant communication with other users, such as using the talk command, you must first make sure that the user is online. Otherwise, the talk process cannot be established. Another example is that the system administrator also needs to use the who command to monitor what every login user is doing at this moment. The WHO command is very simple to use and can accurately grasp the user's situation, so it is widely used.
Hands-on exercises
1. Use Linux commands to detect system intruders
Users who have installed Mandrake Linux and Red Hat Linux will know that the Linux system has three built-in firewalls of different levels (standard, high, and higher, after installing the Linux server and some basic settings, the server should be considered safe. However, some hackers may exploit the system administrator's negligence to intrude into the system through various methods. It is important to quickly find hackers. In general, you can use commands to query whether a hacker is intruded. See table 1.
Table 1 commands for querying hacker intrusions
For example, if a hacker sniffers a network, the network interface must be in the mixed mode. Run the following command to query the network interface:
# Ifconfig-
Eth0 link encap: Ethernet hwaddr 00: 00: E8: A0: 25: 86
Inet ADDR: 192.168.1.7 bcast: 192.168.1.255 mask: 255.255.255.0
Up broadcast running promiscuous MTU: 1500 Metric: 1
......
From the output of this command, we can see the concepts mentioned above. The first line of 00: 00: E8: A0: 25: 86 is the MAC address, the second line of 192.168.1.7 is the IP address, and the fourth line is the receiving data status, the system is being sniffed by hackers. Generally, NICS have several statuses for receiving data frames, such as broadcast, multicast, and promiscuous.
. Broadcast refers to the data frame that receives all types of broadcast packets. multicast refers to receiving specific multicast packets. promiscuous is a common hybrid mode, it refers to the working mode in which the destination hardware address in the message is not checked or received in full.
2. Restrict the abuse of Su commands
We know that Super Users have the greatest right in Linux, and almost all hackers want to achieve this goal. Linux adds restrictions on switching to Super Users. You can use PAM (Pluggable Authentication Modules) to disable anyone except in the wheel group from Su root, modify the/etc/PAM. d/su file, and remove the blocking mark #
. Use/usr/sbin/usermod G10 bjecadm to add the account bjecadm to the group with the GID of 10, that is, the wheel group. The command is as follows:
/Etc/PAM. d/su # password verification #
Auth sufficient/lib/security/pam_wheel.so debug
# Only users in the wheel group can switch to the root node #
Auth required/lib/security/pam_wheel.so use_uid
Chmod-G10 bjecadm
In addition, whenever a user tries to use the su command to access a system user, the command will write a message in the/usr/ADM/sulog file, if the file records a large number of invalid operations that attempt to use Su to enter the root, it indicates that someone may attempt to crack the root password.
Linux commands have powerful functions. For Linux system administrators, they only need to combine various security command techniques to form a security defense line. From the perspective of computer security, there is no absolutely secure computer system in the world, and Linux is no exception.