Introduction to important Linux security commands (III)

The preceding important Linux security commands involve important commands for user and file permissions. Today we will introduce the chattr, sudo, ps, and who commands. Here we have completed all the important Linux security commands, and hope this course will help you.

VII. chattr

1. Role

Modify the attributes of the ext2 and ext3 file systems and use the permission superuser.

2. Format

Chattr [-RV] [-+ = AacDdijsSu] [-v version] file or directory

3. Main Parameters

-R: recursively processes all files and subdirectories.

-V: displays the modified content in detail and prints the output.

-: Invalid attribute.

+: Activation attribute.

=: Specifies the attribute.

A: Atime: Tell the system not to modify the last access time of this file.

S: Sync. Once the application writes the file, the system immediately writes the Modification result to the disk.

A: Append Only. The system Only allows data to be appended to this file. No process is allowed to overwrite or intercept this file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files.

I: Immutable. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify the files under the Directory and cannot create or delete files.

D: Check for errors in the compressed file.

D: No dump. During file system backup, the dump program ignores this file.

C: Compress. The system compresses the file transparently. When reading from this file, the returned data is extracted. When writing data to this file, the data is first compressed before being written to the disk.

: Secure Delete: enables the system to fill in the region of the file with 0 When deleting the file.

U: Undelete: When an application requests to delete this file, the system will keep its data block so that the file can be deleted in the future.

4. Description

The chattr command is very useful. Some of the functions are supported by the Linux kernel version. If the Linux kernel version is earlier than 2.2, many functions cannot be implemented. Similarly, if-D is used to check the wrong function in the compressed file, the kernel 2.5.19 or later is required. In addition, modifying attributes using the chattr command can improve system security, but it is not suitable for all directories. The chattr command cannot protect the/,/dev,/tmp, And/var directories.

5. Application Instance

1. Restore the/root directory, that is, all files in the subdirectory.

# Chattr-R + u/root

2. Use the chattr command to prevent the modification of a key file in the system.

In Linux, some configuration files (passwd, fatab) cannot be modified by anyone. To prevent accidental deletion or modification, you can set "immutable" for the file )", the command is as follows:

# Chattr + I/etc/fstab

VIII. sudo

1. Role

Sudo is a command in the configuration file, which is used by users within a limited period of time and recorded in the log. The permission is for all users.

2. Format
Sudo [-bhHpV] [-s <shell>] [-u <user>] [command]
Sudo [-klv]

3. Main Parameters
-B: execute commands in the background.
-H: displays help.
-H: Set the HOME environment variable as the HOME environment variable of the new identity.
-K: end the password's validity period, that is, you will need to enter the password next time.
-L: list the commands available to the current user.
-P: the prompt symbol for changing the query password.
-S <shell>: run the specified Shell.
-U <user>: uses the specified user as the new identity. when not in use, the default value is root.
-V: The password is valid for 5 minutes.

4. Description

The sudo command is configured in the/etc/sudoers file. When using sudo, you need to enter a password to verify your identity. After a period of time, you can use the defined commands. When you use commands not found in the configuration file, there will be an alarm record. Sudo is a program used by the system administrator to allow some users to run some/all system commands as root. An obvious purpose is to enhance the security of the site. If you need to do some daily work as a Super User every day, you will often execute some fixed commands that can only be executed as a Super User, so sudo is very suitable.

IX. ps

1. Role

Displays the dynamics of an instantaneous process. The permission is granted to all users.

2. Format

[Options] [-- help]

3. Main Parameters

Only a few common parameters are listed here.
-A: List all processes.
-L: displays the long list.
-M: displays memory information.
-W: Display widening can display more information.
-E: displays all processes.
A: displays all processes on the terminal, including those of other users.
-Au: displays more detailed information.
-Aux: displays all processes that contain other users.

4. Description

To monitor and control processes, you must first understand the current process, that is, you need to view the current process. Ps command is the most basic and powerful process view command. You can use this command to determine which processes are running, the running status, whether the processes are finished, whether the processes are botnets, and which processes are occupying excessive resources. Figure 2 illustrates the ps-aux command. Most of the information can be obtained by executing this command. The three most common parameters are u, a, and x. The following three parameters are used to describe the role of the ps command: ps aux

In the Code in line 2nd, USER indicates the process owner; PID indicates the process identifier; % CPU indicates the CPU usage; % MEM indicates the physical memory usage; VSZ indicates the virtual memory occupied; RSS indicates the physical memory occupied by the process; TTY indicates the secondary device Number of the terminal.

STAT indicates the state of the process, where D is an uninterrupted static I/O action); R is in progress; S is in static state; T is paused; Z does not exist, but cannot be eliminated temporarily; W does not have enough memory to be allocated by page; high-priority processes; N low-priority processes; L memory is allocated by PAGE and locked in the memory (real-time system or I/O ). START indicates the process START time. TIME indicates the execution TIME. COMMAND is the executed COMMAND.

4. Application Instance

During system maintenance, the memory usage is often astonishing, but you do not know which process occupies a large number of processes. In addition to using the top command to view memory usage, you can also use the following command:

Aux | sort + 5n

10. who

1. Role

Who displays which users log on to the system. The displayed information includes the user ID, logon terminal used, launch time, idle time, CPU usage, and what has been done. The permission is granted to all users.

2. Format

Who-[husfV] [user]

3. Main Parameters
-H: do not display the title column.
-U: Do Not Display User Actions/work.
-S: Display in short format.
-F: do not display the user's online location.
-V: displays the program version.

4. Description

This command is used to view the current online users. If you want to establish instant communication with other users, such as using the talk command, you must first make sure that the user is online. Otherwise, the talk process cannot be established. Another example is that the system administrator also needs to use the who command to monitor what every login user is doing at this moment. The who command is very simple to use and can accurately grasp the user's situation, so it is widely used.

Hands-on exercises

1. Use Linux commands to detect system intruders

Users who have installed Mandrake Linux and Red Hat Linux will know that the Linux system has three built-in firewalls with different levels of standards, high levels, and higher, after installing the Linux server and some basic settings, the server should be considered safe. However, some hackers may exploit the system administrator's negligence to intrude into the system through various methods. It is important to quickly find hackers. Generally, you can use commands to check whether a hacker is intruded.

For example, if a hacker sniffers a network, the network interface must be in the mixed mode. Run the following command to query the network interface:
# Ifconfig-
Eth0 Link encap: Ethernet HWaddr 00: 00: E8: A0: 25: 86
Inet addr: 192.168.1.7 Bcast: 192.168.1.255 Mask: 255.255.255.0
Up broadcast running promiscuous mtu: 1500 Metric: 1
......

From the output of this command, we can see the concepts mentioned above. The first line of 00: 00: E8: A0: 25: 86 is the mac address, the second line of 192.168.1.7 is the IP address, and the fourth line is the receiving data status, the system is being sniffed by hackers. Generally, the NIC has several statuses for receiving data frames, such as Broadcast, Multicast, and Promiscuous. Broadcast refers to the data frame that receives all types of Broadcast packets. Multicast refers to receiving specific Multicast packets. Promiscuous is a common hybrid mode, it refers to the working mode in which the destination hardware address in the message is not checked or received in full.

2. Restrict the abuse of su commands

We know that Super Users have the greatest right in Linux, and almost all hackers want to achieve this goal. Linux adds restrictions on switching to Super Users. You can use PAMPluggable Authentication Modules to prohibit anyone except in the wheel group from su root, modify the/etc/pam. d/su file, and remove the blocked ID #. Use/usr/sbin/usermod G10 bjecadm to add the account bjecadm to the group with the gid of 10, that is, the wheel group. The command is as follows:

/Etc/pam. d/su # password verification #
Auth sufficient/lib/security/pam_wheel.so debug
# Only users in the wheel group can switch to the root node #
Auth required/lib/security/pam_wheel.so use_uid
Chmod-G10 bjecadm

In addition, whenever a user tries to use the su command to access a system user, the command will write a message in the/usr/adm/sulog file, if the file records a large number of invalid operations that attempt to use su to enter the root, it indicates that someone may attempt to crack the root password.

After completing important Linux security commands, I sincerely hope this series will help you.

1. Linux security command 1)
2. Detailed analysis of Linux System Network Services
3. Introduction to the method for determining Linux blacklist
4. Solve Linux garbled characters
5. Linux link file type