How to Ensure Linux user security (1)

The increasing expansion of Linux application scope has attracted more and more attention in terms of security. Security is a complex and extensive problem. Here we mainly focus on Linux User Account Security, especially how Linux system administrators ensure user security.
Password Security
In Linux, the/etc/passwd file contains the information of each user that all systems need to know (the ciphertext of the encrypted password may also be stored in the/etc/shadow file ). /Etc/passwd contains the user's login name, encrypted password, user number, user group number, user comment, user main directory, and Shell program used by the user. UID and GID are used to uniquely identify users, users in the same group, and access permissions of users in Linux. A good password should contain at least six characters. It is best not to use personal information such as birthday, name, or reverse spelling login name ), common English words are not good because dictionary attack is easy to crack ). It is recommended that a password contain non-letter characters, such as numbers, punctuation marks, and control characters. It must be easy to remember and cannot be written on paper or in a computer file. A good way to select a password is to connect two irrelevant words with one digit or control character, and cut off as eight characters. Of course, it would be better to remember 8 garbled characters. The same password should not be used on different machines, especially for users of different levels. Do not store passwords in string storage of the terminal function key or Modem. The user should change the password on a regular basis. It is recommended to change the password once every three months. The system administrator can force users to change passwords on a regular basis. To prevent easy-to-use users from getting a password, make sure that no one is around when you enter the password.
File and Folder Security
Umask sets the default blocking value for file creation in user files and directories. If you place this command in the. profile file, you can control the access permission for subsequent files created by the user. The umask command is the opposite of the chmod command, which tells the system not to grant access permission when creating files.
1. Do not allow others to read or write files or directories.
If you do not trust this group of users, set umask to 022. Make sure that your. profile cannot be read or written by others; it is best not to store important files in the temporary directory; no one can write in the home Directory; files transmitted by UCP should be encrypted and transferred to your directory as soon as possible.
2. If you do not want other users to read files or directories, you must prevent them from being read by anyone.
Set umask to 006/007. If users in the same group are not allowed to access their files and directories, umask is set to 077. Temporary files are set to the current umask. Programs that store important data to temporary files are written to ensure that the temporary files cannot be read by other users. In this way, other users cannot read the home directory.
Security of copying and Moving Files
When you use the cp command to copy a file, if the target file does not exist, the access permission of the source file will be copied at the same time, including Suid and Sgid permissions. The newly copied file is owned by the copy user. Therefore, be careful when copying other users' files. Do not be damaged by the Suid program of other users.
When you use the mv command to move a file, the new file access permission is the same as the original file, and the mv only changes the file name. If you have a directory write and search permission, you can move the Suid program of someone in the directory without changing the access permission. If the directory permission settings are incorrect, your Suid program may be moved to a directory that cannot be modified or deleted, resulting in a security vulnerability.
The cpio command is used to copy the directory structure to a common file, and then use the cpio command to convert the common file into a directory structure. Use this command with caution because it can overwrite files not in the current directory structure. Use the t option to list the files to be copied first.
Do not leave the logon Terminal
This problem seems simple, but is the most easily overlooked. Even a few minutes of negligence can cause harm to the system.
Security of file encryption
The crypt command can be provided to users to encrypt files. It uses a keyword to encode the standard input information into unreadable messy strings and sends them to the standard output device. Use this command again to apply the same keyword to the encrypted file to restore the file content.
In general, the original file should be deleted after the file is encrypted, leaving only the encrypted version, and the encryption keyword cannot be forgotten. Vi commands generally have encryption functions. You can use the vi-x command to edit the encrypted file. The selection rules of encryption keywords are the same as those of passwords.
The crypt program may be used as a Trojan horse, so passwords cannot be used as keywords. It is best to compress the file with the pack or compress command before encryption, and then encrypt the file.