First, Linux system security Summary
Second, detailed description
1) users to clear some unnecessary users of the system, you can reduce the hacker attacks on our Linux portal; The lock account is applicable to the scenario where the employee does not apply the account for a period of time (USERMOD-L); passwd and Shadow files under etc can prevent illegal users from establishing users (chattr +i)
2) password, set the password validity period can be done to remind users to change the password regularly, to avoid long-term use of the same password caused the password to be cracked (Vim/etc/login.defs and chage-m) To set up an employee's first login change password is actually for the employee to change their own password after logging in the account (chage-d 0)
3) It is well known that the default command history shows the 1000 commands that were previously knocked out, and if Linux is used by illegal users, it is dangerous to view the history of the command through historical. As a result, we can change the number of lines in the command history to be shorter, or clear the log out directly to ensure security (export histsize= and Vim ~/.bash_logout).
4) Automatic logout (export tmout), that is, the user does not log on automatically return to the login screen for a long time
5) Work sometimes need to allow ordinary users to log on the operating system, but ordinary users if you can use SU switch users there is a relatively large risk, by enabling Pam_wheel authentication can be very good to avoid such situations (VIM/ETC/PAM.D/SU), and by modifying the/etc/ The sudoers file can assign the user some necessary permissions (Visudo or vim/etc/sudoers).
6) Prohibit Ctrl+alt+del Express key can successfully avoid the work of the key error caused by the immeasurable loss. We can make changes to the/etc/init/control-alt-delete.conf file, add the corresponding configuration in the file with # before it becomes a comment.
7) Establish the GRUB password. It can be said that it is easy to change the root password by entering single-user mode when booting from grub. Anyone who knows a little bit about the Linux system can do this. So the security of our Linux is not guaranteed, so grub password modification is a necessary thing to do for Linux security. First we generate an encrypted password for the MD5 algorithm through Grub-md5-crypt, and then we modify the/boot/grub/grub.conf file to paste the generated password into the specified location.
8) Linux Default exists 6 terminals, sometimes using these 6 terminal switch can be good to improve the efficiency, but on the other hand it can also be seen in our 6 system entrance, so close some entrances to ensure security imperative (vim/etc/init/start-ttys.conf &vim/etc/sysconfig/init).
9) Prohibit unnecessary user login. In fact, the root user's permission is too large, but also a hidden problem, if the root password leaked, the illegal user landing, the consequences are unimaginable. By modifying the configuration, we can disable root from some terminal login system (Vim/etc/securetty). Most of the time the ordinary user login operating system is not necessary and dangerous, the practice is in/etc touch an empty file nologin.
Iii. Examples of demonstrations
1. Weak password detection
1) First unpack the Jhon installation package.
2) Enter/USR/SRC/JOHN.../SRC, execute make clean linux-x86-64 install John.
3) Set up test user Zhangsan, password 123;lisi, password 1234
4) Copy/etc/shadow (user password file) to/root/shadow, perform/usr/src/john.../run/john scan/root/shadow file.
5) The following results are obtained
2. Port scan
1) Locate the disk in the Nmap RPM package, and then install
2) Configure an IP address for Linux, followed by scanning 127.0.0.1, if the local machine does not configure the address, cannot scan
3) scan the local machine to open what TCP/UDP port
4) Scan the UDP port of the local machine
5) Scan the 192.168.1.100 to 192.168.1.200 which machines have 20 and 21 ports open. (Multiple ports with "," delimited, continuous IP address with "-" connection)
6) Scan the 192.168.1.0 network segment which hosts can ping through
#补充nmap选项
-SF:TCP Port Scan
-SU:UDP Port Scan
-SP:ICMP Scan, similar to ping detection
-p0: Skipping ping detection, if the target host is not ping, skip scanning the host
Linux system security-weak password detection and port scanning
