Process and terminal management of Linux system

Source: Internet
Author: User

The original text was published in "Cyber Security and Informatization" in the 3rd issue of 2018, reproduced in the blog.

Process management is a basic skill that Linux system operators should master, Linux, as a typical multi-user operating system, allows multiple users to log in from different terminals at the same time, and the process initiated by the user at the corresponding terminal has a close connection with their respective terminals. Taking CentOS7 system as an example, this paper introduces how to manage the process and terminal of Linux system through two concrete examples.

1. What are the endpoints of Linux systems?

We usually refer to a set of keyboard and mouse as well as a monitor such as input called a terminal, directly connected to the computer host is called the physical terminal. When operating a computer that has a Windows system installed, there is usually only one set of physical terminals and a single operating interface. While Linux system support virtual terminal, in the operation of the installation of a Linux system computer, the user is facing a set of physical terminal equipment, but can open through the virtual terminal A number of non-interference, independent work interface.
There are 6 default virtual terminals available in Linux, the 1th one is the graphical interface, and the 2nd to 6th is the character interface. The Ctrl+alt+f (1~6) can be used to switch between different virtual terminals, such as the installation of the X window of the Linux system, the default is to enter the 1th virtual terminal in the graphical interface, at this time press the key combination ctrl+alt+ F2 into the 2nd virtual terminal, which is a character interface.
The abbreviation for the virtual terminal is TTY, and the "TTY" command under the character interface displays the terminal number where the user is currently located.

[[email protected] ~]# tty/dev/tty2

Since we typically manage Linux servers remotely over a network, this terminal, which is opened by remote login, is called a pseudo terminal (pts). For example, we telnet to the Linux system via Xshell, and then execute the TTY command, and find that the result is "/dev/pts/0", which indicates that this is the first pseudo-terminal of the system startup (pseudo terminal number starting from 0).

[[email protected] ~]# tty/dev/pts/0

Also, if the Linux system has x Window installed, in the graphical interface, right-click on the desktop blank and select "Open in Terminal", at which point a PTS pseudo terminal is opened. This is negligible, however, because few people in the production environment would do so.
Thus can be summed up, for the Linux system, the terminal is divided into two main categories: the user in the local open terminal called Virtual Terminal tty, by the user in the remote open terminal called Pseudo terminal pts. Because most of the cases we are remote to the management of the Linux server, so users use the terminal is mainly pseudo-terminal pts. Each terminal has a corresponding number, and the TTY command can be used to see the terminal number where the user is currently located.

2. Terminal information in the process

The processes in the Linux system are closely related to the terminal of the startup process, such as the PS command that we directly execute without any options, and will only show the process that the current user initiated at the current terminal.

[[email protected] ~]# ps  PID   TTY     TIME    CMD 5290   pts/0    00:00:00   bash 5309   pts/0    00:00:00   ps

As you can see, the current user has only started 2 processes, namely "bash" and "PS". where "PS" is the process of the PS command just executed, and "bash" is the terminal process corresponding to the current terminal, it is also the parent process of the PS process.
If you want to see all the processes in the system, you need to add the appropriate options for the PS command, such as the commonly used option combination "aux", where the option "a" means all processes related to the current terminal are displayed, and the option "X" indicates that all processes unrelated to the current terminal are displayed. So two options together represent all the processes in the system.
For example, split-screen view of all processes in the current system details.

[[email protected] ~]# ps aux | moreUSER  PID  %CPU  %MEM   VSZ   RSS  TTY  STAT   START   TIME  COMMANDroot    1    0.0     0.4   193628  4636  ?     Ss   00:14   0:06 /usr/lib/systemd/systemd --switched-root --system --deserialize 21root    2    0.0     0.0      0     0    ?     S    00:14   0:00   [kthreadd]root    3    0.0     0.0      0     0    ?     S    00:14   0:07   [ksoftirqd/0]……

As you can see in the detailed process information, the TTY field for many processes is displayed as "?", which means that the process is not initiated by the user at a terminal, but rather by the system kernel.
All processes initiated by the user to execute the command are terminal related, and when the terminal is shut down, all process in that terminal will be automatically closed. This is a very important feature of the Linux system, the following two examples are the specific application of this feature.

3. Background startup of the process

A process is a running program, and as long as we enter and execute a command at the shell command line, we start a corresponding process. The process of Linux system has foreground process and background process of points, usually we execute the command generated by the process is the foreground process, the foreground process is an important feature is to occupy the current terminal, when the process is not finished, the user can not be in the current terminal and other operations.
For example, we execute the "nc-l-P 8000" command to listen on the TCP8000 port (the default is no NC installed in CentOS7, if the Yum source is configured, you can perform the "Yum install NC" command installation), this command will be running after execution, If the user does not press the CTRL + C key to force abort, the process will occupy the current terminal.
If you add a "&" symbol after the command you want to execute, the process goes to the background and the result is not displayed on the screen, the process does not occupy the current terminal, and the user can continue to perform other operations.
For example, executing the NC command in the background listens on the TCP8000 port.

[[email protected] ~]# nc -l -p 8000 &[1] 79878

Of course, you can also directly execute a command to start a foreground process, and then press CTRL + Z key combination to transfer the process to the background. Only the process that is transferred to the background in this way will be in a stopped state and will need to be executed in the background by the BG command.

[[email protected] ~]# nc -l -p 8000^Z[1]+  已停止               nc -l -p 8000[[email protected] ~]# jobs -l[1]+ 102964 停止                  nc -l -p 8000[[email protected] ~]# bg 1[1]+ nc -l -p 8000 &[[email protected] ~]# jobs -l[1]+ 102964 运行中               nc -l -p 8000 &

It is related to the current terminal whether the process is executed in the background by the "&" symbol behind the command, or by the process that is transferred to the background through CTRL + Z key combinations. If you close the current terminal, the processes that are running in the background will all be closed. This is difficult to achieve if we want to be able to always listen to the TCP8000 port in the system through NC commands.
Thus, if you want some processes to always run in the background, you can use the Nohup command to disassociate them from the current terminal. For example, we want to always perform NC commands in the background to listen to the TCP6000 port of this machine, regardless of whether the current terminal is off. You can then execute the following command:

[[email protected] ~]# nohup nc -l -p 6000 &[2] 103240[[email protected] ~]# nohup: 忽略输入并把输出追加到"nohup.out"

After the command executes, close the current terminal and then open a new terminal again, performing the PS aux | grep NC command finds the process generated by the NC command, and can see that the terminal of the process generated by the "nc-l-P 6000" command has become "?", which is initiated by the system kernel and is no longer associated with any terminal.

[[email protected] ~]# ps aux | grep nc……root   103240  0.0  0.1  43512   1808  ?        S    15:55   0:00  nc -l -p 6000root   103304  0.0  0.0  112668   968  pts/0     R+   15:57   0:00  grep --color=auto nc

The process generated by this command becomes a background process for the system, and if the administrator does not force the KILL command to terminate, the process will continue to run.

4. Kicking out suspicious users in the system

The relationship between the process and the terminal is further illustrated by an example below.
Since Linux is a multi-user operating system, as an administrator you need to be aware of what users are currently logged into the system. By executing the WHO command, you can view the users who are currently logged on to the system and their related information.

[[email protected] ~]# whoroot     :0           2017-10-14 15:20 (:0)root     pts/0        2017-12-28 15:57 (192.168.80.1)root     tty2         2017-12-28 16:11

From the execution of the WHO command, it can be found that 3 users are logged into the system as root. The first line of information does not show the terminal, which indicates that the root user is logged on locally and the IP address is not displayed because it is logged on locally. The second line of information indicates that the root user is logged on to the remote pseudo terminal pts/0 and displays the login IP. The third line of information indicates that the root user is logged on to the local virtual terminal Tty2 and does not display an IP address.
Below we create an account named Hacker in the system and use that account to log in remotely on a terminal.
Create an account and set a password:

[[email protected] ~]# useradd hacker[[email protected] ~]# echo "123" | passwd --stdin hacker更改用户 hacker 的密码 。passwd:所有的身份验证令牌已经成功更新。

Then, in another Kali system (IP address 192.168.80.20), Telnet to the Linux server (IP address 192.168.80.146) using the hacker account:
[email protected]:~# ssh [email protected]
After the login is successful, execute the WHO command on the Linux server to view the currently logged in user. It can be found that a suspicious user is logging on to a client with IP address 192.168.80.20, and its terminal number is PTS/1.

[[email protected] ~]# whoroot     :0           2017-10-14 15:20 (:0)hacker   pts/1        2017-12-28 16:19 (192.168.80.20)root     pts/0        2017-12-28 15:57 (192.168.80.1)root     tty2         2017-12-28 16:11

Below we will kick this suspicious user out of the system.
First, we need to find out the corresponding process of the terminal based on the terminal of suspicious user, can execute "PS aux | grep pts/1 "command. From the execution of the command, you can see that the PID 103707 process corresponds to a terminal of PTS/1, and that the process was launched by Bash, which is the terminal process we are looking for.

[[email protected] ~]# ps aux | grep pts/1hacker  103706  0.0  0.2 142916  2224  ?       S    16:19   0:00  sshd: [email protected]/1hacker  103707  0.0  0.2 116168  2740  pts/1    Ss+  16:19   0:00  -bashroot    103801  0.0  0.0 112664   972  pts/0    S+   16:25   0:00  grep --color=auto pts/1

The process is then forcibly terminated by the kill command.
[[email protected] ~]# kill -9 103707
Execute the WHO command again, and discover that the suspect user has been kicked out and that all processes initiated by the user will be automatically closed (except through the NOHUP command to the system background process).

[[email protected] ~]# whoroot     :0           2017-10-14 15:20 (:0)root     pts/0        2017-12-28 15:57 (192.168.80.1)root     tty2         2017-12-28 16:11

Process and terminal management of Linux system

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.