Linux must learn 60 commands (5)-Network security __linux

Linux must learn 60 commands (5)-Network securitySubmitted by Zhanjun in Thursday, 2006-04-13 12:42

Linux must learn 60 commands: System security-related commands
Linux must learn system security commands (1)
Author: Cao Yuan its dispatch time: 2004.12.03
Although Linux is a multi-user system like the Windows nt/2000 system, there are a number of important differences between them. For many administrators accustomed to Windows systems, there are many new challenges to ensuring that Linux operating systems are secure and reliable. This article will focus on the Linux system security commands.

passwd

1. Role
passwd command originally modify the account login password, the use of permissions are all users.

2. Format
passwd [option] account name

3. Main parameters
-L: Locks the name of the account that is already named, only available to users who have superuser privileges.
-U: Unlock account lockout status, only users who have Superuser privileges can use it.
-X,--maximum=days: Maximum password usage time (days), only used by users with superuser privileges.
-N,--minimum=days: Minimum password usage time (days), only used by users with superuser privileges.
-D: Deletes the user's password, which is available only to users who have superuser privileges.
-S: Check the type of password authentication for the specified user, only users who have Superuser privileges can use it.

4. Application examples

$ passwd
Changing password for user Cao.
changing password for Cao
(current) UNIX Password:
New UNIX Password:
Retype new UNIX Password:
Passwd:all authentication tokens updated successfully.

As you can see from the above, use the passwd command to enter the old password, and then enter the new password two times.

Su

1. Role
The role of SU is to change the identity of other users, except for Superuser, who needs to type the user's password.

2. Format
su [Options] ... [-] [USER [ARG] ...]

3. Main parameters
-F,--fast: Do not need to read startup files (such as CSH.CSHRC, etc.), only for csh or tcsh two shell.
-L,--login: After adding this parameter, it is as if it were a login to the consumer, most environment variables (such as home, Shell, and USER) are based on that user (user), and the working directory changes. If user is not specified, the default is root.
-M,-P,--preserve-environment: Do not change the environment variables when performing su.
-C command: Change the account as user, and execute the Command (command) and then change back to the original user.
User: The user account you want to change, ARG passes in the new shell parameter.

4. Application examples
Change the account to Superuser and restore the user after the DF command is executed. Su-c DF Root

Umask

1. Role
Umask set the user files and directories of the file to create a default screen value, if you put this command into the profile file, you can control the user's subsequent file access permissions. It tells the system who does not give permission to the file when it is created. Use permissions are all users.

2. Format
Umask [-P] [-S] [mode]

3. Parameter
-S: Determines the current umask setting.
-P: Modify umask settings.
[mode]: modifies the value.

4. Notes
The traditional Unix umask value is 022, which prevents users who belong to the group and other groups from modifying the user's files. Since each user owns and belongs to a private group of its own, this "group protection mode" is not needed. Strict permission settings form the basis of Linux security, and it is fatal to make mistakes in permissions. Note that the Umask command is used to set read-write access to the files created by the process, with the safest value of 0077, which is to turn off read and write access to all processes other than the process that created the file, expressed as-RW-------。 In ~/.bash_profile, adding one line of command Umask 0077 guarantees that the process's umask permissions can be set correctly each time the shell is started.

5. Application examples

Umask-s
U=rwx,g=rx,o=rx
UMASK-P 177
Umask-s
u=rw,g=,o=

The 5-line command, which first displays the current state, then changes the Umask value to 177, only to the effect that the file owner has permission to read and write files, and other users cannot access the file. This is clearly a very secure setting.

Chgrp

1. Role
CHGRP represents modifying the group to which one or more files or directories belong. Use permissions are superuser.

2. Format
chgrp [Options] ... Group File ...
Or
chgrp [Options] ...--reference= reference file ...

Set the group of each < file > to < group >.

3. Parameter
-C,--changes: like--verbose, but displays results only if there are changes.
--dereference: Affects the object indicated by the symbolic link, not the symbolic link itself.
-H,--no-dereference: Affects the symbolic link itself, not the destination indicated by the symbolic link (this option is available when the system supports changing the owner of the symbolic link).
-F,--silent,--quiet: Remove most of the error messages.
--reference= Reference File: Use < reference file > 's owning group, not the specified < group >.
-R,--recursive: recursively handles all files and subdirectories.
-V,--verbose: Processing Any file will display information.

4. Application Instructions
This command changes the user group to which the specified file belongs. Where group can be the user group ID or the group name of the user group in the/etc/group file. The file name is separated by a space to change the list of files in the group, supporting wildcard characters. If the user is not the owner or superuser of the file, the group of the file cannot be changed.

5. Application examples
Change the group of all files under/opt/local/book/and its subdirectories to book, as follows:
$ chgrp-r Book/opt/local/book

chmod

1. Role
The chmod command is important to change the access rights of a file or directory, and users can use it to control access to files or directories, which are superuser.

2. Format
There are two uses of the chmod command. One is the character setting method that contains the letter and operator expressions (relative permission setting), and the other is the numeric setting method (absolute permission setting) that contains numbers.

(1) Character setting method
chmod [who] [+ |-| =] [mode] File name

Manipulating objects who can be any of the following letters or their combinations
U: Represents the user, that is, the owner of the file or directory.
G: Represents the same group of users, that is, all users who have the same group ID as the owner of the file.
O: Represents another user.
A: Represents all users, which is the system default value.

Action symbol
+: Add a permission.
-: Cancels a permission.
=: give the given permission and cancel all other permissions, if any.

The permission to set mode can be any combination of the following letters
R: Readable.
W: Writable.
X: Executable.
X: Append the x attribute only if the target file is executable for some users or if the destination file is a directory.
S: The owner or group ID of the process is placed as the file owner of the file when the file is executed. Mode "U+s" sets the user ID bit of the file, and "G+s" sets the group ID bit.
T: Saves the text of the program to the switching device.
U: Has the same permissions as the owner of the file.
G: Have the same permissions as users who are in the same group as the file owner.
O: Have the same permissions as other users.
File name: A space-separated list of files to change permissions to support wildcard characters.
Multiple permission methods can be given in one command line, separated by commas.

(2) Digital setting method
The general form of the digital setting method is: chmod [mode] filename

The number attribute should be in the form of 3 0 to 7 octal, in the Order of (U) (g) (o) file name, a space-separated list of files to change permissions, and wildcard characters are supported.

The rights represented by a number are as follows: 0001 for the owner's execution permission, 0002 for the owner's write permission, 0004 for the owner's Read permission, 0010 for the group's execute permission, 0020 for the group's write permission, 0040 for the group's Read permission, and 0100 for the other person's execution permissions 0200 Write permission for other people; 0400 Read permission for others; 1000 for the paste position; 2000 indicates that if the file is an executable, the group ID is a position, otherwise the location of the file is locked, and 4000 indicates that if the file is an executable, the user ID is a position.

3. Examples
If a system administrator writes a form (TEM) for all users to fill out, the user must be authorized to have read and write access to the file, and can use the command: #chmod 666 tem

In the code above, how is this 666 figure calculated? 0002 Write permission for the owner, 0004 Read permission for the owner, 0020 for the group's write permission, 0040 for the group's Read permission, 0200 for other people's write permission, 0400 for other people's Read permissions, the 6 numbers are added 666 (note the above numbers are octal number), the results are shown in Figure 1.

Figure 1 Setting file permissions with the Chmod digital method

As you can see from Figure 1, the permissions of the TEM file are-rw-rw-rw-, that is, the user has read and write access to the file.

Use the following command when setting with character permissions:
#chmod a =wx tem
Chown

1. Role
Change the owners and groups of one or more files or directories. Use permissions are superuser.

2. Format
chown [Options] User or group file

3. Main parameters
--dereference: The affected is the object indicated by the symbolic link, not the symbolic link itself.
-H,--no-dereference: Affects the symbolic link itself, not the destination indicated by the symbolic link (this option is available when the system supports changing the owner of the symbolic link).
--from= Current owner: The group changes the owner and group only if the owner and group of each file are specified by the option. One of these can be omitted, and this omitted attribute does not need to conform to the original attribute.
-F,--silent,--quiet: Remove most of the error messages.
-R,--recursive: recursively handles all files and subdirectories.
-V,--verbose: Processing Any file will display information.

4. Notes
Chown changes the owner of the specified file to the specified user or group, the user can be a user name or a user ID, the group can be a group name or a group ID, and the file is a space-separated list of files to change permissions, and wildcard characters are supported. System administrators often use the Chown command to give users permission to use the file after copying it to another user's directory.

5. Application examples
1. Change the owner of the file Shiyan.c to Wan
$ chown Wan Shiyan.c

2. Convert the owner of the directory/hi and all files and subdirectories below to WAN, and the group is changed to users.
$ chown-r Wan.users/hi

Chattr

1. Role
Modify the ext2 and Ext3 file system attributes to use permissions Superuser.

2. Format
chattr [-RV] [-+=aacddijssu] [-V Version] file or directory

3. Main parameters
-R: Recursively process all files and subdirectories.
-V: Displays changes in detail and prints out the output.
-: invalid attribute.
+: Activates the property.
=: Specifies the property.
A:atime, tell the system not to modify the last access time for this file.
S:sync, once the application performs a write operation on the file, the system immediately writes the resulting changes to the disk.
A:append only, the system allows you to append data only after this file, and does not allow any process to overwrite or truncate the file. If the directory has this attribute, the system will only be allowed to create and modify files in this directory, and not delete any files.
I:immutable, the system is not allowed to make any modifications to this file. If the directory has this attribute, any process can only modify the files under the directory and not allow the creation and deletion of files.
D: Check for errors in the compressed file.
D:no dump, the DUMP program ignores this file when making a file system backup.
C:compress, the system compresses the file in a transparent way. When read from this file, the extracted data is returned, and when the data is written to the file, the data is first compressed before it is written to disk.
S:secure Delete to let the system use 0 to populate the area where the file is located when the file is deleted.
U:undelete, when an application requests that the file be deleted, the system retains its block of data so that it can be restored after the file is deleted.

4. Notes
The Chattr command is powerful, some of which are supported by the Linux kernel version, and many of the features are not implemented if the Linux kernel version is below 2.2. Also-d to check for errors in the compressed file, requires more than 2.5.19 Kernel to support. In addition, modifying attributes through the CHATTR command can improve the security of the system, but it does not work for all directories. The CHATTR command cannot protect//dev,/tmp,/var directories.

5. Application examples
1. Restore the/root directory, that is, all files of the subdirectory
# Chattr-r +u/root

2. Use the CHATTR command to prevent a key file in the system from being modified
Under Linux, some profiles (passwd, fatab) are not allowed to be modified, in order to prevent mistakenly deleted or modified, you can set the file's "No modified bit (immutable)", the command is as follows:
# chattr +i/etc/fstab

Sudo

1. Role
sudo is a command that is based on a constraint in a configuration file and is used by a user for a limited period of time, and is recorded in a log, with permissions for all users.

2. Format

sudo [-BHHPV] [-s <shell>] [-u < user] [directive]
sudo [-klv]

3. Main parameters

-B: Executes commands in the background.
-H: Show help.
-H: Sets the home environment variable to the new identity home environment variable.
K: The expiration of the password, that is, the next time you will need to enter a password.
-L: Lists the commands that the current user can use.
-P: Change the hint sign asking for a password.
-S <shell>: executing the specified shell.
-U < user: to the specified user as the new identity, do not use the default is root.
-V: Extended password is valid for 5 minutes.

4. Notes
The sudo command is configured in the/etc/sudoers file. When users use sudo, they need to enter a password to authenticate the user. A defined command can be used for a period of time, and there will be a record of the alert when the command that is not in the configuration file is used. Sudo is a program that system administrators use to allow some users to run part/all of the system commands as root. An obvious use is to enhance the security of the site, if you need to do some daily work as a superuser, often perform a number of fixed several only superuser identity to execute the command, then sudo is very appropriate.

Ps

1. Role
PS shows the dynamics of instantaneous processes (process), with permissions being used by all users.

2. Format
PS [Options] [--help]

3. Main parameters
PS has a lot of parameters, this only lists a few commonly used parameters.

-A: Lists all processes.
-L: Displays long lists.
-M: Displays memory information.
-W: Display widens to show more information.
-E: Displays all processes.
A: Displays all processes on the terminal, including processes for other users.
-au: Displays more detailed information.
-aux: Displays all processes that contain other users.

4. Notes
To monitor and control a process, you first need to understand the current process, which is to see the current process. The PS command is the most basic and very powerful process view command. Use this command to determine which processes are running, the state of running, whether the process is over, the process has no zombies, which processes are consuming too many resources, and so on. Figure 2 gives a detailed explanation of the Ps-aux command. Most of the information can be obtained by executing the command. The three most commonly used parameters are u, a, and X. The following is combined with these three parameters to specify the function of the PS command: PS aux

Figure 2 Ps-aux Command detailed

In line 2nd of Figure 2, the user represents the process owner, the PID represents the process identifier, the%CPU represents the CPU usage consumed, the physical memory usage that%mem occupies, the virtual memory consumed by the vsz, the physical memory value that the RSS takes up for the process, and TTY is the secondary appliance number for the terminal.

STAT represents the state of a process where D is an interruptible static (I/O action); R in progress; s stationary state; t suspend execution; Z does not exist, but is temporarily unable to eliminate; W does not have enough memory paging to allocate; high priority process; n low-priority process; l have memory paging allocation and lock in memory body ( Live system or I/O). Start is the process begin time. Time is executed. command is the instruction that is executed.

4. Application examples
During system maintenance, there is often a staggering amount of memory usage, without knowing which process is consuming a large number of processes. In addition to using the top command to view memory usage, you can also use the following command:
PS aux | Sort +5n

W.H.O.

1. Role
WHO displays the user login system in which the information is displayed, including the username, the login terminal used, the online time, the sluggish time, the CPU footprint, and what has been done. Use permissions for all users.

2. Format
Who-[HUSFV] [user]

3. Main parameters

-H: Do not display header columns.
-U: Do not display the user's action/work.
-S: Use a short format to display.
-F: Do not display user's online position.
-V: Displays the program version.

4. Notes
This command is primarily used to view the current user situation on the line. If the user wants to establish instant communication with other users, such as using the Talk command, the first thing to be sure is that the user is online or the talk process cannot be established. Also, the system administrator wants to monitor what each logged-on user is doing at the moment, using the WHO command. The WHO command is very simple to use, can more accurately grasp the user's situation, so very extensive.

Hands-on practice

1. Use Linux command to detect system intruders
Users who have installed Mandrake Linux and Red Hat Linux will know that Linux systems can have three different levels (standard, high, and high) firewalls, and when Linux Server installation and some basic settings, the server should be said to be more secure, But there are also hackers who use the system administrator's inadvertent intrusion system in a variety of ways. How to find hackers quickly is very important. In general, you can use commands to query whether a hacker is invading, as shown in table 1.

Table 1 Table of command corresponding to the hacker intrusion phenomenon

For example, if a hacker sniffs the network, it must make the NIC interface in promiscuous mode and query using the following command:

#ifconfig-a
Eth0 Link encap:ethernet hwaddr 00:00:e8:a0:25:86
inet addr:192.168.1.7 bcast:192.168.1.255 mask:255.255.255.0
Up broadcast RUNNING promiscuous mtu:1500 metric:1
......

From the output of this command, you can see the concepts mentioned above. The first line of 00:00:e8:a0:25:86 is the MAC address, the second line of 192.168.1.7 is the IP address, the fourth line is about receiving the data state, at this time is being hacker sniffing. Generally speaking, the network card has several receiving data frame's state, like broadcast, multicast, promiscuous and so on. Broadcast refers to the reception of all types of broadcast packets of data frames, multicast refers to the reception of a specific group broadcast text, promiscuous is commonly said promiscuous mode, refers to the message in the destination hardware address without any check, all the work mode of receiving.

2. Limit the abuse of the SU command
We know that super users have the most power in Linux, and almost all hackers want this goal. Linux can increase the restrictions on switching to superuser. Using Pam (pluggable authentication Modules) can prohibit anyone except the wheel group from Su to root, modify the/etc/pam.d/su file, and remove the masking ID #. Use/usr/sbin/usermod G10 bjecadm to add bjecadm This account to the group with a GID of 10, which is the wheel group. The order is as follows:

/ETC/PAM.D/SU # using password Authentication #
Auth sufficient/lib/security/pam_wheel.so Debug
# Limit only wheel group users can switch to root#
Auth required/lib/security/pam_wheel.so Use_uid
CHMOD-G10 Bjecadm

In addition, whenever a user attempts to use the SU command to enter a system user, the command writes a message in the/usr/adm/sulog file that records a large number of invalid operations that attempt to use Su to enter root, indicating a possible attempt to decipher the root password.

Linux commands have a powerful function. For Linux system administrators, it is often only through a variety of security command techniques that combine to form a security perimeter. From the point of view of computer security, there is no absolutely safe computer system in the world, and Linux systems are no exception.

Go to Unixchina