Linux Server security Policy configuration-ssh and dynamic MOTD (i)

Linux Login Prompt ( static / dynamic MOTD)

when the user enters a password or uses the key to After logging in, let the server automatically perform several simple actions for us, such as printing prompt information, printing exception information, executing a script, or sending mail. The ability to pre-prompt information to the login allows us to quickly understand the important information of this machine before the login machine takes any action. Does it look like it's interesting? Maybe we would think that this has no direct impact on the security of the server, and executes a series of commands, scripts ( It seems a little superfluous. Therefore, if it is in the production environment linux Server and need to configure login prompt, such as login execution command, script and so on, we do not have to write a complex, large script, the execution time of the script is critical, if you do not want to enter the login password correctly after waiting for a few seconds or longer, then, as far as possible to optimize the execution of the script to a few milliseconds , or even lower. (

/span>

in most In the Linux distribution, you can modify the/ETC/MOTD file directly to customize any prompts you want, by pasting the prompt message file that you want to print into the file ( Some executable commands or scripts are only considered ordinary characters/text in the file . The text message inside the/ETC/MOTD is fixed, unless we manually modify it. Therefore, the messages that are customized in /ETC/MOTD are static MOTD.

If you have usedDebian/ubuntudistribution version that you may have found,UbuntuBy default, there is already a dynamicMOTDInformation Tip (bySSHor log on locally to display some of the system's current information). In theRhel/centosimpossible to achieve like inDebian/ubuntusuch a feature, becauseRhel/centosdoes not provide any script associated with it. We can pass the environment variable file, such as/etc/profile,/ETC/BASHRCand so on, add the commands or scripts that need to be executed to the end of these files so that each time the user logs in, the system reads the files and executes the script defined in the file. In addition, it can also be used in combinationcrontabschedule tasks that will pre-prepare scripts such as system monitoring, exception information collection throughcrontabexecutes periodically in the background and redirects the collected information to/ETC/MOTDfile. These system monitoring and exception handling information can be displayed when the user logs on to the system.

in the Ubuntu , provides a set of scripts in the directory /etc/update-motd.d/ , when the user logs in, in accordance with the script name prefix number (00-99) order execution, The output of these scripts is saved to the file /run/motd.dynamic , and the end user is successfully logged in and printed out in the login screen interface. The output is as shown

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/93/66/wKioL1kK2wCSa2whAADDmvKMfcM551.png "title=" Picture 1.png "alt=" Wkiol1kk2wcsa2whaaddmvkmfcm551.png "/>

/etc/update-motd.d/ Script list:

00-header

10-help-text

50-landscape-sysinfo

90-updates-available

91-release-upgrade

98-fsck-at-reboot

98-reboot-required

the above is in Ubuntu 14.04 LTS provides a default script for dynamic MOTD messages that can be modified or added to their own scripts. For example, replace it with your own custom-made script.

Here are a few simple examples of how to customize MOTD in Rhel/centos:

Print a hint, execute a script, or send a message

L print prompt After any user logs on remotely or locally ( such as prompting the login this is an important server, requires the login to be careful to operate )

>> Open SSH service print MOTD message, Profile/etc/ssh/sshd_config, confirm if configuration is as follows (default is YES)

PRINTMOTD Yes

>> Modify the /etc/motd file to paste the prompt message into the file

[Email protected] ~]# CAT/ETC/MOTD **************************************************** Note: This is an important production server, please operate with caution!! * * If you need to restart/shut down the server, please first uninstall NFS ****************************************************

>> after saving, using SSH Login to the server, enter the correct account password, the following prompt

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/93/67/wKiom1kK22LjflnIAABfdbNQaRc453.png "title=" Picture 2.png "alt=" Wkiom1kk22ljflniaabfdbnqarc453.png "/>

Of course, just like this simple hint is not enough, we can according to the characteristics of the server, running services, file system information and important details such as print out, so that other IT personnel log on to the server, before taking any action, can quickly grasp the important information of this server. Can also play a vigilant role. You can customize it according to your own situation.

L Print dynamic MOTD hints in Rhel/centos (script implementation)

>> any user via SSH Remote login print prompt as follows

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/93/67/wKiom1kK24XCPAv1AACc12pT7z8902.png "title=" Picture 3.png "alt=" Wkiom1kk24xcpav1aacc12pt7z8902.png "/>

>> Create a System information collection script

[[email protected] ~]# vim /usr/src/scripts/system_info.sh #!/bin/bash date=] date  "+%f %t" ' head= "system information as of:  $date"  kernel= ' uname -r ' Hostname= ' echo  $HOSTNAME '   #Cpu  loadload1= ' cat /proc/loadavg | awk  ' {print  $1} ' load5= ' cat /proc/loadavg | awk  ' {print $2} ' load15= ' Cat /proc/loadavg  | awk  ' {print $3} '   #System  uptimeuptime= ' cat /proc/uptime | cut  -f1 -d. ' Updays=$ ((uptime/60/60/24)) uphours=$ ((uptime/60/60%24)) upmins=$ ((uptime/60%60)) upSecs=$ (( uptime%60)) Up_lastime= ' date -d  "$ (awk -f.  ' {print $1} '  /proc/uptime)  second  ago " +"%y-%m-%d %h:%m:%s "'   #Memory  usagemem_usage= ' Free -m | awk   '/mem:/{total=$2} /buffers\/cache/ {used=$3} end {printf ("%3.2f%%", used/total*100)} ' ' Swap_usage= ' free -m | awk  '/swap/{printf  "%.2f%", $3/$2*100} '   #Processesprocesses = ' ps aux |  wc -l '   #Userusers = ' users | wc -w ' user= ' whoami '   #System  fs  usagefilesystem=$ (df -h | awk  '/^\/dev/{print $6} ')   #InterfacesINTERFACES =$ (IP  -4 ad | grep  ' state  '  | awk -f ': '   '!/^[0-9]*: ?lo/  {print $2} ')  echoecho  "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++ "echo " $head "echo "----------------------------------------------"printf " kernel  version:\t%s\n "  $kernelprintf  " hostname:\t%s\n "  $hostnameprintf  " system load:\t%s  %s %s\n "  $load 1,  $load 5,  $load 15printf " system uptime:\t%s  "Days"  %s  "Hours"  %s  "min"  %s  "SEC" \ n "  $upDays   $upHours   $upMins  $ upsecsprintf  "Memory usage: \t%s\t\t\tswap usage:\t%s\n "  $mem _usage  $swap _usageprintf " login users:\t%s\t\t\ twhoami:\t\t%s\n "  $users   $USERprintf  " processes:\t%s\n "  $processesprintf  " \ n "printf   "filesystem\tusage\n" for f in  $Filesystemdo     usage=$ (df -h  | awk  ' {if ($NF = = "' $f" ")  print $5} ')     echo -e  $f \t\t$usage "doneprintf " \ n "printf " interface\tmac address\t\tip address\n "for i  in  $INTERFACESdo     mac=$ (ip ad show dev  $i  | grep   "Link/ether"  | awk  ' {print $2} ')     ip=$ (ip ad show  dev  $i  | awk  '/inet / {print $2} ')     printf   $i "\t\t" $MAC "\t$ip\n" doneecho  "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + "echo

>> Add execute permissions to scripts

[Email protected] ~]# chmod +x/usr/src/scripts/system_info.sh

>> Add the path name of the script to the end of the /etc/profile file

[Email protected] ~]# tail-1/etc/profile/usr/src/scripts/system_info.sh

L Send mail message after any user logs on remotely or locally

>> Demo Below

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/93/66/wKioL1kK2_Kg5PwKAABGi-HBlTo926.png "title=" Picture 4.png "alt=" Wkiol1kk2_kg5pwkaabgi-hblto926.png "/>

>> send e-mail as follows

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/93/66/wKioL1kK3AnQDCW3AABD80PMTBo209.png "title=" Picture 5.png "alt=" Wkiol1kk3anqdcw3aabd80pmtbo209.png "/>

>> Create a script to send a message /usr/src/scripts/my-server-login-mail

#!/bin/bashsmtp=smtp.163.comsmtp_auth_user=xxxxxxsmtp_auth_password=xxxxxxxxxx[email protected]  function head {    kernel_version= ' Uname -r '     Login_ User= ' last -a | grep  "logged in"  | wc -l '     Up_ Lastime= ' date -d  ' $ (awk -f.  ' {print $1} '  /proc/uptime)  second ago "  + "%y-%m-%d %h:%m:%s" '     up_runtime= ' cat /proc/uptime| awk -f.   ' {run_days=$1 / 86400;run_hour= ($1 % 86400)/3600;run_minute= ($1 % 3600)/60 ; run_second=$1 % 60;printf ("%d days%d%d seconds", Run_days,run_hour,run_minute,run_second)} '      last_user= ' last | awk  ' (/pts/)  &&  (/-/) {print  "user: " $ 1 " - " "olinetime: " $NF " - " "ip: " $ " - " "logintime: " $4 " " $ " " $6 " " $7} ' |&NBsp;head -1 | sed -e  ' s/(//g '  -e  ' s/)//g '     echo  -e  "    echo -e "      mailtips:  unknown identity source using ${user} User Login System      -------------------------------------------------------------                              System information     Host name:  $HOSTNAME      kernel version:  $Kernel _version     system Elapsed time:  $Up _runtime      Last restart time:  $Up _lastime     Current number of users logged in:  $Login _user      Last Login user:  $Last _user    -------------------------------------------------------- -----     "}; head >/tmp/.loginmail title= "host: ' echo  $HOSTNAME ' login prompt   (' date  ' +%f %T "')" body= ' Cat /tmp/.loginmail ' [email protected] sendemail -s  "$smtp"  -xu  " ${smtp_auth_user}  -xp  ${smtp_auth_password}  -f  $from  -t  $to  -u  "$title"  -m  "$body"  &>/dev/null && rm -rf /tmp/.loginmail

in the There are many programs for Linux to send mail, and here I use sendEmail, you can also use other Send mail program.

>> Add a script absolute pathname to the end of the /etc/profile file

[Email protected] ~]# tail-1/etc/profile/usr/src/scripts/my-server-login-mail

Conclusion

Dynamic MOTD is out-of-the-box in Ubuntu because it has been set as a module of the system, called by Pam_motd.so. However, we can modify the pre-configured script on the system at any time, put the script into the /etc/update-motd.d/directory, such as the collection system exception information script, when the user log in, will be the first time to feedback to the user, or the system login record of real-time monitoring, By the occurrence of mail to the user, the user can quickly grasp the server whether there is a situation of intrusion. For the Rhel/centos release, I've also given a few simple demo examples to implement dynamic MOTD. Interested students can be used as a reference.

This article is from the "7414593" blog, please be sure to keep this source http://7424593.blog.51cto.com/7414593/1922111

Linux Server security Policy configuration-ssh and dynamic MOTD (i)