Linux Security Applications 1

Source: Internet
Author: User

Prevent normal users from shutting down

Console helper Mechanism

/usr/bin/consolehelper

Configuration directory

/etc/security/console.apps/

Cd/etc/security/console.apps

Mkdir-m locked

MV Poweroff Locked


Clean up non-login account

/sbin/nologin Prohibit login shell

Bin Daemon shutdown ...

Delete Redundant accounts

News Games Gopher


Using the Chage tool

-d 0, forcing password change

-e Yyyy-mm-dd, specifying expiration date (-l cancellation)

CHAGE-E 2014-10-31 Zengve

Chage-l Zergye//view details of Zerye user password

chage-d 0 Tom//Force Tom User to change password

Chage-m 0 Tom//You can change your password at any time

Chage-m 1-m 90-w 5-e 2014-10-01-i Tom

M Password minimum use time

M Password Maximum usage time

-W Warning Time

-E Password expiry time

-I inactive time


Lock/Unlock your account

Using the passwd command

-L Lock-u unlock-s View status

Using the Usermod command

-L Lock-u unlock

Passwd-l Tom//Lock user Tom's password

Passwd-s Tom//View the status of the user

grep Tom/etc/shadow//View status


Force periodic password changes

Configuration file/etc/login.defs

-Valid for new users

Main control Properties

-Pass_max_days Maximum Days

-Pass_min_days Minimum Days

-Pass_warn_age Warning Days

-Pass_min_len Shortest length


Reduce the number of history commands

environment variable History

-Default Record 1000 article

Sensitive information such as passwords should be avoided at the command line

-such as NFS mount, add domain, and other operations

In the user's home directory, the calendar

Vim. Bash_history//History saved in this file

Vim/etc/profile//Modify History bar Number


Safe use of programs and services

Disabling non-essential system services

-Use NTSYSV, chkconfig tools

Prohibit normal users from executing scripts in the INIT.D directory

-Restrict permissions for "other"


Who-r//view current run level

Run-level//view current run level

Init 3//Switch to run Level 3

Start x//Enter the graphical interface

NTSYSV--level 35//Select the 35 run level to start running


File system planning and mounting

Rational planning of system partitioning

-/boot/home/var, such as the use of separate volumes

Mount Mount Options

-O nosuid-o noexec option

SUID: If an executable file has X permissions for others and he also sets SUID, then

When the file is executed, the other person has the master permission during the file execution

# Ll/bin/ls

# chmod 4755/bin/ls

# Su-tom

$ ls

# exit

# chmod U-s/bin/ls

Mount-o noexec/dev/sda1/boot//Do not allow the implementation of the sub-drive files


File Lock and Unlock

EXT3/EXT4 file Attribute Control

-Chattr Lsattr

+-= control mode

-Attribute I: immutable (immutable)

-Attribute A: can only be appended (append only)

chmod a= hosts//set permissions equal to NULL

Chattr +i/etc/passwd//Add I permissions file is not modifiable

Chattr-i/etc/passwd//Revoke I permissions

LSATTR/ETC/PASSWD//View file permissions


TTY Terminal control

Which TTY terminals are allowed to be enabled

Configuration file/etc/sysconfig/init

-ACTIVE_CONSOLLES=/DEV/TTY[1-6]

Immediately prohibit the normal user login

-/etc/nologin

Touch/etc/nologin//Create Nologin file to prevent all normal users from logging in

Only allow root to log in from a specified number of terminals

-Configuration file/etc/securetty


Fake Terminal login Tips

Config file/etc/issue//local open landing terminal appears title

Configuration file/etc/issue.net//telnet remote connection open terminal appears header, SSH does not appear


Vim/etc/httpd/conf

Vim/etc/httpd/conf/httpd.conf

/serversignature on//Find serversignature on

Serversignature off//change on to off turn off transaction signing

: Wq


Disable Ctrl+alt+del restart

Disable Ctrl+alt+del key configuration

-/etc/init/control-alt-delete.conf

Vim/etc/init/control-alt-delete.conf

#start on Control-alt-delete

#exec/sbin/shutdown-r Now "Control-alt-delete pressed"

: Wq

6, $s/^/#///or such plus # change


Grub Boot Control

The role of guiding and setting up a secret

-Limit modification of startup parameters

-Restrict access to the system

Password Setting method

-Password--MD5 encrypted cipher string

-Or, password plaintext cipher string

Get the MD5 encrypted cipher string

Grub-md5-crypt


Vim/etc/grub.conf

Default=0

Timeout=5

Splashimage= (hd0,0)/grub/splash.xpm.gz

Hiddenmenu

Password--md5 $1$kwaqv1$tjxpfkkniy7is51qrvwfd1

Title Red Hat Enterprise Linux (2.6.32-358.el6.x86_64)

Password ABC

Root (hd0,0)

kernel/vmlinuz-2.6.32-358.el6.x86_64 ro root=uuid=27e5d4b2-0432-4ce1-831d-10044d691e31 Rd_NO_LUKS KEYBOARDTYPE=pc Keytable=us rd_no_md Crashkernel=auto lang=zh_cn. UTF-8 RD_NO_LVM rd_no_dm RHGB quiet

Initrd/initramfs-2.6.32-358.el6.x86_64.img

Vim/etc/grub.conf

Title Windwos 7//Add one more system boot

Rootnoverify (hd0,0)

Makective

Chainloader +1//set to Active


boot/grub/splash.xpm.gz//boot start picture storage location

Press "P" to enter the first password

Return and enter password


User Switching and power-up

Switch user identity, when

-SSH Remote Management

-operation and maintenance testing

Elevate execution permissions, when

-Manage Permissions Breakdown

SU Tom//Do not add a minus sign to login shell

Su-tom//plus minus sign login shell


Elevate Execute permissions (sudo)

Purpose: Super execution

Verifying credentials

-The password of the current user, the authorization must be configured in advance

Command format

-sudo privilege command

-Sudo [-u target user] Privilege command

# Visudo

# visudo-c #检查语法正不正确

/all

Cmnd_alias Userop =/usr/bin/passwd,/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod//Add command to USEROP Group

User_alias user_admins = Tom, Jack//Tom Plus, Jack, join the User_admins group.

Tom All= (All) all//Add this line, you can execute any administrator command sudo su-#然后输入用户自己的密码, you can switch to the root user

User_adminsall= (All)Userop//user_admins Group of these people, you can perform these commands for the Userop group

: Wq

# Su-tom

$ sudo-l//view user tom can execute commands

$ sudo useradd jack//To add sudo to execute this command


Vim var/log/secure//view security-related logs


Yum install-y Finger

Finger Tom//View Tom's user information

CHFN Tom//Set up user information for Tom

Name:tommy

Office:bejing

Office:phone 010-0000

Home phpone:101-11111

Verifying user information for viewing Tom

grep tom/etc/passwd


This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790276

Linux Security Applications 1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.