Article Title: Root permission control in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Linux is a popular network server operating system. It inherits the security, stability, and efficiency of UNIX systems. In Linux, Root has the highest permissions, because such attackers often aim to obtain Root permissions. How can an administrator effectively manage the Root user? This article provides several security techniques from the perspective of permission control.
Demo Environment
Red Hat Enterprise Linux 5
1. Remote Logon
We know that in the RHEL system, Root users are allowed to log on remotely by default. If the attacker obtains the Root password and then performs remote logon, the entire server will be compromised. Therefore, we need to set Root permissions to deny remote logon. In this way, even if attackers obtain the Root password, they cannot remotely log on to the server and control the server. There are many ways to restrict remote Root logon. I recommend two methods.
(1) SSH restrictions
We know that SSH is a service used for remote maintenance management in Linux, similar to Telnet or remote desktop 3389 in Windows. Use SSH to restrict Root remote logon. All we need to do is modify the SSH configuration file. Find the/etc/ssh/sshd_config file and add PermitRootLogin no. Note that the Linux system is case sensitive and should not be entered incorrectly. After entering the information, save and exit, and then enter the Command service sshd restart to restart the SSH service for the modification to take effect. In this way, when the Linux server is remotely connected through Root, the connection will be rejected. ()
(2) PAM Authentication
We can also use the PAM Authentication Module to deny Root users from directly logging on to the system. The following operations can be used to achieve this. Open/etc/pam. d/sshd file. Add the auth required/lib/security/pam_listfile.so item = user sense = deny file =/etc/sshduser onerr = succeed statement to the first line. It indicates whether the account and password are valid during logon. you can log on to the system only after the authentication is passed. Otherwise, the logon is denied after the authentication is completed. Its Authentication Module is/lib/security/pam_listfile.so. The authenticated user is a user or a group. The authentication method is deny ), the authentication file is/etc/sshduser, and the file name and directory are random. If the authentication is successful, the system returns (succeed ). ()
Then, create an authentication file and run the echo "root">/etc/sshduser command on the terminal to create the file. Of course, we can also use vi to open the sshduser file to add the file to the user. Note that when multiple users exist, each user occupies one row. After the addition is complete, use Root to log on to the server and you will be able to see that the logon is denied. ()
[1] [2] [3] Next page