Linux Security Applications 1

Prevent normal users from shutting down

Console helper Mechanism

/usr/bin/consolehelper

Configuration directory

/etc/security/console.apps/

Cd/etc/security/console.apps

Mkdir-m locked

MV Poweroff Locked

Clean up non-login account

/sbin/nologin Prohibit login shell

Bin Daemon shutdown ...

Delete Redundant accounts

News Games Gopher

Using the Chage tool

-d 0, forcing password change

-e Yyyy-mm-dd, specifying expiration date (-l cancellation)

CHAGE-E 2014-10-31 Zengve

Chage-l Zergye//view details of Zerye user password

chage-d 0 Tom//Force Tom User to change password

Chage-m 0 Tom//You can change your password at any time

Chage-m 1-m 90-w 5-e 2014-10-01-i Tom

M Password minimum use time

M Password Maximum usage time

-W Warning Time

-E Password expiry time

-I inactive time

Lock/Unlock your account

Using the passwd command

-L Lock-u unlock-s View status

Using the Usermod command

-L Lock-u unlock

Passwd-l Tom//Lock user Tom's password

Passwd-s Tom//View the status of the user

grep Tom/etc/shadow//View status

Force periodic password changes

Configuration file/etc/login.defs

-Valid for new users

Main control Properties

-Pass_max_days Maximum Days

-Pass_min_days Minimum Days

-Pass_warn_age Warning Days

-Pass_min_len Shortest length

Reduce the number of history commands

environment variable History

-Default Record 1000 article

Sensitive information such as passwords should be avoided at the command line

-such as NFS mount, add domain, and other operations

In the user's home directory, the calendar

Vim. Bash_history//History saved in this file

Vim/etc/profile//Modify History bar Number

Safe use of programs and services

Disabling non-essential system services

-Use NTSYSV, chkconfig tools

Prohibit normal users from executing scripts in the INIT.D directory

-Restrict permissions for "other"

Who-r//view current run level

Run-level//view current run level

Init 3//Switch to run Level 3

Start x//Enter the graphical interface

NTSYSV--level 35//Select the 35 run level to start running

File system planning and mounting

Rational planning of system partitioning

-/boot/home/var, such as the use of separate volumes

Mount Mount Options

-O nosuid-o noexec option

SUID: If an executable file has X permissions for others and he also sets SUID, then

When the file is executed, the other person has the master permission during the file execution

# Ll/bin/ls

# chmod 4755/bin/ls

# Su-tom

$ ls

# exit

# chmod U-s/bin/ls

Mount-o noexec/dev/sda1/boot//Do not allow the implementation of the sub-drive files

File Lock and Unlock

EXT3/EXT4 file Attribute Control

-Chattr Lsattr

+-= control mode

-Attribute I: immutable (immutable)

-Attribute A: can only be appended (append only)

chmod a= hosts//set permissions equal to NULL

Chattr +i/etc/passwd//Add I permissions file is not modifiable

Chattr-i/etc/passwd//Revoke I permissions

LSATTR/ETC/PASSWD//View file permissions

TTY Terminal control

Which TTY terminals are allowed to be enabled

Configuration file/etc/sysconfig/init

-ACTIVE_CONSOLLES=/DEV/TTY[1-6]

Immediately prohibit the normal user login

-/etc/nologin

Touch/etc/nologin//Create Nologin file to prevent all normal users from logging in

Only allow root to log in from a specified number of terminals

-Configuration file/etc/securetty

Fake Terminal login Tips

Config file/etc/issue//local open landing terminal appears title

Configuration file/etc/issue.net//telnet remote connection open terminal appears header, SSH does not appear

Vim/etc/httpd/conf

Vim/etc/httpd/conf/httpd.conf

/serversignature on//Find serversignature on

Serversignature off//change on to off turn off transaction signing

: Wq

Disable Ctrl+alt+del restart

Disable Ctrl+alt+del key configuration

-/etc/init/control-alt-delete.conf

Vim/etc/init/control-alt-delete.conf

#start on Control-alt-delete

#exec/sbin/shutdown-r Now "Control-alt-delete pressed"

: Wq

6, $s/^/#///or such plus # change

Grub Boot Control

The role of guiding and setting up a secret

-Limit modification of startup parameters

-Restrict access to the system

Password Setting method

-Password--MD5 encrypted cipher string

-Or, password plaintext cipher string

Get the MD5 encrypted cipher string

Grub-md5-crypt

Vim/etc/grub.conf

Default=0

Timeout=5

Splashimage= (hd0,0)/grub/splash.xpm.gz

Hiddenmenu

Password--md5 $1$kwaqv1$tjxpfkkniy7is51qrvwfd1

Title Red Hat Enterprise Linux (2.6.32-358.el6.x86_64)

Password ABC

Root (hd0,0)

kernel/vmlinuz-2.6.32-358.el6.x86_64 ro root=uuid=27e5d4b2-0432-4ce1-831d-10044d691e31 Rd_NO_LUKS KEYBOARDTYPE=pc Keytable=us rd_no_md Crashkernel=auto lang=zh_cn. UTF-8 RD_NO_LVM rd_no_dm RHGB quiet

Initrd/initramfs-2.6.32-358.el6.x86_64.img

Vim/etc/grub.conf

Title Windwos 7//Add one more system boot

Rootnoverify (hd0,0)

Makective

Chainloader +1//set to Active

boot/grub/splash.xpm.gz//boot start picture storage location

Press "P" to enter the first password

Return and enter password

User Switching and power-up

Switch user identity, when

-SSH Remote Management

-operation and maintenance testing

Elevate execution permissions, when

-Manage Permissions Breakdown

SU Tom//Do not add a minus sign to login shell

Su-tom//plus minus sign login shell

Elevate Execute permissions (sudo)

Purpose: Super execution

Verifying credentials

-The password of the current user, the authorization must be configured in advance

Command format

-sudo privilege command

-Sudo [-u target user] Privilege command

# Visudo

# visudo-c #检查语法正不正确

/all

Cmnd_alias Userop =/usr/bin/passwd,/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod//Add command to USEROP Group

User_alias user_admins = Tom, Jack//Tom Plus, Jack, join the User_admins group.

Tom All= (All) all//Add this line, you can execute any administrator command sudo su-#然后输入用户自己的密码, you can switch to the root user

User_adminsall= (All)Userop//user_admins Group of these people, you can perform these commands for the Userop group

: Wq

# Su-tom

$ sudo-l//view user tom can execute commands

$ sudo useradd jack//To add sudo to execute this command

Vim var/log/secure//view security-related logs

Yum install-y Finger

Finger Tom//View Tom's user information

CHFN Tom//Set up user information for Tom

Name:tommy

Office:bejing

Office:phone 010-0000

Home phpone:101-11111

Verifying user information for viewing Tom

grep tom/etc/passwd

This article is from the "Wsyht blog" blog, make sure to keep this source http://wsyht2015.blog.51cto.com/9014030/1790276

Linux Security Applications 1