Linux User Management Security: password cracking prevention and account file protection

Linux, as a multi-task and multi-user operating system, may be used by multiple users within the same period of time, and user management is directly related to the security of the entire system, users need to emphasize and protect password management and account file management. Linux User management is mainly divided into two aspects: password management and user

Linux, as a multi-task and multi-user operating system, may be used by multiple users within the same period of time, and user management is directly related to the security of the entire system, users need to emphasize and protect password management and account file management.

Linux User management includes password management and user group management. The following two aspects are described respectively.

This article is affiliated with the topic: Linux system comprehensive management
1. password management

The password is the key for a user to log on to the Linux system. if there is no key, it will always take some effort to log on to the target operating system. No matter what remote attacks the intruders use, the entire system cannot be fully controlled if the user password of the administrator or super administrator cannot be obtained. To access the system, the simplest and necessary method is to steal the user's password. Therefore, for the system administrator account, the most important thing to protect is the password. if the password is stolen, it means the arrival of a disaster.

Most intruders obtain administrator privileges through various systems and vulnerability settings, and then launch malicious attacks on the system. Weak account password settings make it easy for intruders to crack and access computers and networks, while strong passwords are hard to crack, and even password cracking software is hard to do in a short time. Password cracking software generally uses three methods for cracking: Dictionary guesses, combined guesses, and brute force guesses. Without a doubt, cracking a strong password is far more difficult than cracking a weak password. Therefore, the system administrator account must use a strong password.

According to statistics, about 80% of security risks are caused by improper password settings. Therefore, password settings are very skillful. When setting a password, observe the password security setting principle. this principle applies to any password usage scenarios, including Windows and UNIX/Linux operating systems.

John the Ripper is a tool software used to crack the plaintext password when the ciphertext is known. The latest version is JOHN1.7, which mainly supports cracking the ciphertext of DES and MD5 encryption methods. It can work on multiple and different models and different operating systems. the operating systems that have been tested to run normally include: linux x86, freeBSD, x86, Solaris, iSCSI, OSF/1 Alpha, DOS, WinNT/WinXP series, etc.

John the Ripper official website: http://www.openwall.com/john/

John the Ripper 1.7 is a good password cracking tool. during the decryption process, disks are automatically stored regularly. you can force the decryption process to be interrupted (using the ctrl + c key combination ), you can continue from the interrupted location next time (john-restore command ). When you press the keyboard, you can see the entire decryption process. all cracked passwords will be stored in JOHN. in the POT file, all users with the same ciphertext in the SHADOW will be classified as one type, so JOHN will not perform unnecessary repetitive work. In program design, key password generation conditions are placed in JOHN. in the INI file, you can modify the settings by yourself. This not only supports changing the word type, but also supports writing C programs to limit the password value.

Before using the software, we can download the latest john-1.7.3.4 for Linux version from the Internet, which contains three directories: DOC, SRC, and RUN, run the following command on the machine:
# Make
# Make clean linux-x86-any

After installation, you can switch to the RUN directory for testing, as shown below:
# Cd ../run
#./John? Test

John the ripper provides the following commands for users to choose from:
Pwfile: [,...]: Specifies the name of the file where the ciphertext is stored. (you can enter multiple file names separated by commas (,). You can also use * or these two wildcards to reference a batch of files ). You can also leave the file name at the end of the command line without using this parameter.
Wordfile: <字典文件名> -Stdin: specifies the dictionary file name used for decryption. You can also use STDIO for input, that is, input on the keyboard.
Rules: use the word rule change function during decryption. For example, we will try other possibilities of cool words, such as COOLER and Cool. detailed Rules can be found in [List. Rules: Wordlist] in the JOHN. ini file.
Incremental [: <模式名称> ]: The traversal mode indicates all possible combinations of passwords. you can also find them in the [Incremental: *****] section of the JOHN. ini file.
Single: The single mode is used for decryption. it is used to guess and decrypt based on user name changes, which can eliminate relatively low-level users. The combination Rules can be found in [List. Rules: Single] in the JOHN. ini file. we will explain them in detail below.
External: <模式名称> : The custom extended decryption mode allows you to define the password combination mode you need in john. ini. JOHN also provides several examples in the INI file, which are defined in [List. External: *****] of the INI file.
Restore [: <文件名> ]: Continue the last cracking operation. after JOHN is interrupted, the current decryption progress is stored in the RESTORE file. you can copy this file to a new file. If the parameter does not contain a file name, JOHN uses the RESTORE file by default.
Makechars: <文件名> : Create an external table. if the specified file exists, it will be overwritten. JOHN tries to use internal rules to generate the most likely password combination in the corresponding key space. it will refer to the existing key in the JOHN. POT file.
Show: shows the cracked password, because JOHN. the POT file does not contain the user name. at the same time, the user should enter the corresponding file name containing the password. JOHN will output the decrypted user and password detailed table.
Test: test the decryption speed of JOHN running on the current machine. it takes one minute to obtain the decryption speed under various possible circumstances, for example, the average speed of decrypting 100 users at the same time and the decryption speed in the traversal mode. Salts refers to the number of users. if the average decryption speed for 100 users is 18000 times/second, it indicates that 100 users are simultaneously decrypted, the decryption speed is 180 times per second. Because most of the time is used for key comparison. Therefore, users should be selected.
Users: [,...]: Only crack users of a certain type or a group. If the obtained PASSWD file does not contain ciphertext, it should be combined after SHADOW is obtained. JOHN's companion program UNSHADOW. EXE can complete this process. of course, you can also do it manually. Generally, users who can access CSH are the preferred objects for decryption. You can also set UID to 0 for ROOT users.
Shells: [!] [,...]: Like the preceding parameter, this option can be used to decrypt all users who can use shell, ignoring other users. "!" Indicates that users of some types are not allowed. For example, "-shells: csh ".
Salts: [!] : Only select to decrypt a user greater The user can get the right to select and get the user PASS as soon as possible.

Lamesalts: specify the cleartext used by the password in the user. (I am not sure about the function ).
Timeout: <几分钟> : The decryption duration is several minutes, and JOHN stops running automatically.
List: all the passwords being used are listed on the screen during decryption. we recommend that you do not use them. it will waste most of the time on display, greatly slowing down the decryption speed. Generally, it is only applicable to redirecting the output to a file and checking whether some of the modes set by the user are normal.
Beep-quiet: Specifies whether to enable a PC speaker to decrypt the password to remind the user.
Noname-nohash: does not use memory to store "user name" or other content.
Des-md5: Specifies whether to use the decryption method is describe DES or MD5, for decryption DES password ignore this option.

In addition to the password cracking program, this software package also contains several other utility tools that are helpful for implementing password cracking. these tools are all placed in the run directory, the following is a brief introduction.

(1) unshadow PASSWORD-file shadow-FILE

The unshadow command combines the passwd and shadow files. The result is used by John to crack the program. Usually, you should use the redirection method to save the results of this program in the file, and then pass the file to John's cracking program.

(2) unafs DATABASE-file cell-NAME

Unafs extracts hash values from the binary AFS database and generates available output for John. Generally, this output should be redirected to the file.

(3) unique OUTPUT-FILE

Delete the duplicate words in the dictionary table, but do not change the order of the entries in the dictionary table.

After the installation, we can use the following methods to test the password of our account:

In general, many users have simple password naming methods, such as foo, hello, world, or many of them use the same password as the user name, in general, we can use a simple decryption method to preliminarily test the passwords in the system. if we find that the passwords can be successfully cracked, we need to strengthen the strength of these passwords, as follows:
#./John? Single "/etc/shadow"
Loaded 2 password hashes with 3 different salts (FreeBSD MD5 [32/32])
Liyang (liyang)
Guesses: 1 time: 0: 00: 00: 00 100% c/s: 6975 trying: 999991900

In the preceding command, we found that the system has a liyang user whose username and password are both liyang. Therefore, we can find and use liyang in the simplest way, if it is a hacker, it will lead to unimaginable consequences. Therefore, our users should immediately strengthen their passwords based on this situation.

Secondly, users can use dictionary files to test and test the malicious password strength of system users. People usually use hello, superman, cooler, asdfgh, 123456, and so on as their own passwords. The-rules parameter adds some changes on this basis. for example, if the dictionary contains the word "cool", JOHN will try to decrypt it using the word changes such as cooler, CoOl, and Cool. Generally, the decryption time ranges from hours to days depending on the number of users in the SHADOW, the dictionary size of users, and the speed of users' machines. The following is an example of decryption using this method. Suppose we have generated a password. the lst file contains frequently used passwords based on dictionary words. Therefore, we use this method to test and crack the user password in the system. because the dictionary retains the word young, therefore, the google password is also tested. the network administrator also needs to reinforce the password, such as adding appropriate suffixes, letters, and numbers:
#./John -- wordlist = password. lst "/etc/shadow"
Loaded 2 password hashes with 2 different salts (FreeBSD MD5 [32/32])
Young (google)
Guesses: 1 time: 0: 00: 00: 01 100% c/s: 3571 trying: zhongguo2. manage user and group file security

Linux uses the traditional UNIX method to save all user information as common text files. You can modify these files to manage users and groups.

(1) User account file-passwd

The/etc/passwd file is one of the key UNIX security files. The