Tcp_wrapper,sudo,nsswitch and Pam Security analysis

Tcp_wrapper as a encapsulation mechanism of the TCP protocol, which is mainly applicable to allow or deny a certain IP address to native access, previously talked about the user control of the firewall application tool iptables can also achieve this function, Iptables can be limited for all application services, and txp_wrapper such wrappers are only available for sshd and VSFTPD services;

Determine if an application is subject to Tcp_wrapper control, just to see if he has libwrap.so this library;

Tcp_wrapper related configuration files are/etc/hosts.allow,/etc/hosts.deny

/etc/hosts.allow: For the IP address that is allowed to access, but can also write to the IP address of Access denied; high priority;

/etc/hosts.deny: For access denied IP address, but can also write to allow access to the IP address, low priority;

Configuration file Format:

daemon_list:client_list [option]

Daemon_list: A list of application files, such as the SSH service, whose filename is called sshd;

Client_list: Allowed or denied IP or IP segment, cannot use prefix format IP address, such as 172.16.72.1/16, if there is a mask must be written in the form of 172.16.72.1/255.255.255.0, or can be written in the form of an IP segment, such as 172.16., representing 172.16 of all IP addresses of this network segment;

Option:allow, allowing access;

Deny, Access denied;

Spawn: Generate, initiate, execute;

Allow 172.16.72.2 hosts to access SSH services for 172.16.72.6 hosts in/etc/hosts.allow

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/07/F3/wKiom1nW6RbRO18aAABM0CU2Zhs214.png-wh_500x0-wm_ 3-wmp_4-s_4163834149.png "title=" Qq20171006102116.png "alt=" Wkiom1nw6rbro18aaabm0cu2zhs214.png-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/07/F3/wKiom1nW6TSwfPczAABMFWVkv3o120.png-wh_500x0-wm_ 3-wmp_4-s_270424539.png "title=" Qq20171006102227.png "alt=" Wkiom1nw6tswfpczaabmfwvkv3o120.png-wh_50 "/>

Allow 172.16.72.2 host access in/etc/hosts.allow, deny all host access sshd,vsftpd service in/etc/hosts.deny;

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M00/07/F3/wKiom1nW6wzz26mQAABOBeJp77s211.png-wh_500x0-wm_ 3-wmp_4-s_2500912492.png "title=" Qq20171006103019.png "alt=" Wkiom1nw6wzz26mqaabobejp77s211.png-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/07/F3/wKiom1nW6yrTGuhCAABhaarITDs910.png-wh_500x0-wm_ 3-wmp_4-s_4020171114.png "title=" Qq20171006103049.png "alt=" Wkiom1nw6yrtguhcaabhaaritds910.png-wh_50 "/>

172.16.72.1 want to access the 172.16.72.6 SSH service

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/07/F4/wKiom1nW62jTga48AAAN_pTkN48669.png-wh_500x0-wm_ 3-wmp_4-s_113295364.png "title=" Qq20171006103126.png "alt=" Wkiom1nw62jtga48aaan_ptkn48669.png-wh_50 "/>

172.16.72.1 want to access 172.16.72.6 's VSFTPD service

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/A6/A5/wKioL1nW66HDJ_nrAAAdVIq8Vtg256.png-wh_500x0-wm_ 3-wmp_4-s_1029767150.png "title=" Qq20171006103351.png "alt=" Wkiol1nw66hdj_nraaadviq8vtg256.png-wh_50 "/>

172.16.72.2 want to access the 172.16.72.6 SSH service

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/A6/A5/wKioL1nW686j7RHIAAAa9Rtihbw974.png-wh_500x0-wm_ 3-wmp_4-s_2374630914.png "title=" Qq20171006103449.png "alt=" Wkiol1nw686j7rhiaaaa9rtihbw974.png-wh_50 "/>

172.16.72.2 want to access 172.16.72.6 's VSFTPD service

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/07/F4/wKiom1nW7FjyKA_lAAA-EyKNJx0066.png-wh_500x0-wm_ 3-wmp_4-s_3236881818.png "title=" Qq20171006103551.png "alt=" Wkiom1nw7fjyka_laaa-eyknjx0066.png-wh_50 "/>

Use the EXCEPT keyword to exclude access to IP addresses outside of 172.16.72.2 in/etc/hosts.allow;

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/A6/A5/wKioL1nW7dvSsaTRAABSU6-3ihA341.png-wh_500x0-wm_ 3-wmp_4-s_1186684728.png "title=" Qq20171006104332.png "alt=" Wkiol1nw7dvssatraabsu6-3iha341.png-wh_50 "/>

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/07/F4/wKiom1nW7kKQMGOyAAAbavwMugk380.png-wh_500x0-wm_ 3-wmp_4-s_58888858.png "title=" Qq20171006104401.png "alt=" Wkiom1nw7kkqmgoyaaabavwmugk380.png-wh_50 "/>

172.16.72.1 Access:

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/07/F4/wKiom1nW7l3TirHWAAAPFXmxb2c463.png-wh_500x0-wm_ 3-wmp_4-s_1063471258.png "title=" Qq20171006104421.png "alt=" Wkiom1nw7l3tirhwaaapfxmxb2c463.png-wh_50 "/>

Sudo:

In the production environment, using the root user as a common user is a dangerous operation, it is easy for others to use the root user for some kind of broken-loop operation, so in the work, using ordinary users to manage, when the need to use the root user, Using the SU or sudo command to temporarily switch root permissions is a more secure operation;

Su Switch user, complete switch and non-complete switch;

Full switchover: Su-username

Non-complete switchover: SU username

Get root permission temporarily, return to bash interface after executing command: su-c ' command '

Although the SU command can help us to switch to the root user to execute, but this is also not conducive to the security operation of the system, if an operation is assigned to the job is to manage the network configuration, but if he is using su-c such operation mode, he can not only the network configuration file operation, Permissions can do almost anything, so in a real production environment, the use of sudo is almost always configured with the specified command;

The sudo command allows you to specify which user can borrow the sudo command to use commands that can be used under root privileges, depending on the configuration information in the/etc/sudoers configuration file;

In a/etc/sudoers configuration file, only one authorization is allowed in a row

The format is:

Who where= (whom)

User client= (runas) COMMANDS

sudo command:

sudo [option] ... command

-U User: Runs the command as a specified user;

-l [command]: List shows that the current user can run in sudo mode

of all orders;

-K: Empty the cache, once again using sudo will need to enter the password;

Sudo-k

(After the first execution of sudo input password, there will be a cache for 300 seconds, so that in 300 seconds to execute sudo will not need to enter a password)

/etc/sudoers Writing format:

Who

User: username;

#uid: Specifies the UID of the user;

%group: Specify the group;

% #gid: The GID of the specified group;

User_alias: Pre-defined user aliases;

To define aliases in a configuration file:

Alias_type:

User_alias: Set user alias;

Host_alias: setting sudo range aliases;

Cmnd_alias: set command aliases;

Runas_alias: General is root;

To set an alias:

Alias_type name=item1,item2 ....

Name must all be uppercase;

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/07/F4/wKiom1nXAIaySJMnAAA5CJSVMmQ176.png-wh_500x0-wm_ 3-wmp_4-s_2434870388.png "title=" Qq20171006120155.png "alt=" Wkiom1nxaiaysjmnaaa5cjsvmmq176.png-wh_50 "/>

where

All: Indicates that all hosts are available;

Ip/hostname: Single host;

Network address: Internet addresses;

Host_alias aliases of pre-defined hosts;

Whom: The real identity, usually root, of the running of the authorized user's subsequent command;

What: The order that this authorization can execute;

Command: Single order authorization;

Directory: All commands under the specified directory;

Sudoedit: Special commands that authorize other users to execute sudo commands, and can edit/etc/sudoers files;

Cmnd_alias: Pre-defined command aliases;

Example: Set WJQ user to manage user passwords across the system

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M00/07/F4/wKiom1nW-5SCa2N3AAAadAmpgKM817.png-wh_500x0-wm_ 3-wmp_4-s_3736021549.png "title=" Qq20171006114049.png "alt=" Wkiom1nw-5sca2n3aaaadampgkm817.png-wh_50 "/>

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/A6/A6/wKioL1nW-3qCW61XAABUj_T8gu4055.png-wh_500x0-wm_ 3-wmp_4-s_1460837522.png "title=" Qq20171006114141.png "alt=" Wkiol1nw-3qcw61xaabuj_t8gu4055.png-wh_50 "/>

, the WJQ user can modify the root password, which is not allowed in the real world;

The parameter must be followed after the ROOT,PASSWD command in the configuration file should be set to passwd after the parameter is not allowed;

Such as:

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/A6/A6/wKioL1nW_FCyKl4kAAAdw_17QMM423.png-wh_500x0-wm_ 3-wmp_4-s_3622888222.png "title=" Qq20171006114421.png "alt=" Wkiol1nw_fcykl4kaaadw_17qmm423.png-wh_50 "/>

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/07/F4/wKiom1nW_SWT89pGAAAnwKfQ0X0518.png-wh_500x0-wm_ 3-wmp_4-s_3382659434.png "title=" Qq20171006114732.png "alt=" Wkiom1nw_swt89pgaaanwkfq0x0518.png-wh_50 "/>

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/A6/A6/wKioL1nW_O_BYDoXAAAiKtGNKTM900.png-wh_500x0-wm_ 3-wmp_4-s_1297089928.png "title=" Qq20171006114754.png "alt=" Wkiol1nw_o_bydoxaaaiktgnktm900.png-wh_50 "/>

Similar to passwd this kind of can be changed to root User Special command and Su,sudo, and so on, these two commands once authorization must consider how to exclude the root login situation, to prevent ordinary users to use their root login operation; Note that Sudoedit, Can enable ordinary users to modify the/etc/sudoers configuration file;

such as: The SU command limits

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/07/F4/wKiom1nW_0iTLU4QAAAk6kCTf_c448.png-wh_500x0-wm_ 3-wmp_4-s_1435775128.png "title=" Qq20171006115626.png "alt=" Wkiom1nw_0itlu4qaaak6kctf_c448.png-wh_50 "/>

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/A6/A6/wKioL1nW_yjzh3gJAAAZcW5qf_E901.png-wh_500x0-wm_ 3-wmp_4-s_2043795411.png "title=" Qq20171006115723.png "alt=" Wkiol1nw_yjzh3gjaaazcw5qf_e901.png-wh_50 "/>

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/07/F4/wKiom1nW_4nw4bL8AAAaFfkScy0049.png-wh_500x0-wm_ 3-wmp_4-s_2763186969.png "title=" Qq20171006115744.png "alt=" Wkiom1nw_4nw4bl8aaaaffkscy0049.png-wh_50 "/>

Nsswitch and Pam:

Nsswitch: Name Service switch, name resolution, the digital symbol into a computer can recognize the language;

Name resolution, depending on the specific information to find a repository that has been set up, to see if there is information in the repository that matches that keyword, such as the passwd repository, to view user-related information, the host repository, to view the specified domain name or the specified IP address of the associated information;

There are many types of repositories, such as files, associated databases, non-associative databases, LDAP;

Nsswitch's universal framework provides a unified interface for upper-level applications to transform data to access the repositories of different file systems below, and if there is no intermediate layer, the upper-tier application wants to access the different file systems in the lower layers, and the file system program needs to be written, which is too much work. Not adapted to the current environment;

The common framework for implementing name resolution in Linux is implemented through libraries:

/lib64/libnss*<-->/usr/lib64/libnss*

The configuration of the parse library is configured by the/etc/nsswitch.conf configuration file

The format is:

DB:STORE_FORMAT1 store_format2 ...

Such as

650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/A6/A6/wKioL1nXCN7BPqddAAAmg4LUKlY572.png-wh_500x0-wm_ 3-wmp_4-s_4191386925.png "title=" Qq20171006123844.png "alt=" Wkiol1nxcn7bpqddaaamg4lukly572.png-wh_50 "/>

Set up the passwd,shadow,group,host and so on;

To find information about keywords in the corresponding library, use the command getent

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/A6/A6/wKioL1nXCcvTClj6AAAm_gFZXWo701.png-wh_500x0-wm_ 3-wmp_4-s_1413341853.png "title=" Qq20171006124244.png "alt=" Wkiol1nxccvtclj6aaam_gfzxwo701.png-wh_50 "/>

The keywords in the passwd library use only the user name and UID

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/A6/A6/wKioL1nXCgniWDCcAAA4-j7qo9U002.png-wh_500x0-wm_ 3-wmp_4-s_2047701909.png "title=" Qq20171006124347.png "alt=" Wkiol1nxcgniwdccaaa4-j7qo9u002.png-wh_50 "/>

Pam:

Pluggable authentication modules plug-in authentication module

A universal certification framework;

PAM-certified Function modules are also implemented through libraries, and Pam libraries are stored in/lib64/security (CentOS7)

Configuration file:

Global Authentication profile:/etc/pam.conf

Format:

Application Type Control Module-path module-options

A dedicated profile for each application:/etc/pam.d/*

Format:

Type Control Module-path module-options

Such as:

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M00/A6/A6/wKioL1nXEPbijkGoAAA8HGiv8vQ824.png-wh_500x0-wm_ 3-wmp_4-s_1487295095.png "title=" Qq20171006131319.png "alt=" Wkiol1nxepbijkgoaaa8hgiv8vq824.png-wh_50 "/>

Type

AUTH: The authentication authorization configuration of the account;

Account: Represents the user interface, mainly responsible for checking the legality of the account, to confirm whether the account expires, whether there is permission to login system, etc.;

Session: Additional operations to be performed at the end of the service before the service begins;

Password: After changing the password, according to the password complexity of the corresponding operation;

Control

Require: Implicit one-vote veto, if an item is not satisfied, do not immediately interrupt the certification, but continue to view the entry until the end of the entry to interrupt the certification;

Requisite: Explicit one-vote veto, if the entry is not satisfied, immediately interrupt the certification;

Sufficient: When this entry is satisfied, if all the entries before the entry are satisfied, the entire stack immediately terminates and immediately returns the signal of the authentication success, and if the validation of this entry fails, the other entry rules need to be consulted; Optional treats

Optional: Insignificant, whether success or failure does not affect the overall;

Include: the process stack in the other configuration file is included in the current location, as if the configuration of the other configuration file is copied to the current file

Substack: The process of running other profiles, but unlike include, which runs in the sub-stack, its running results do not affect the main stack;

Status

User_unknown: User unknown, unable to find;

Success: What results are returned after success, usually OK;

Default: What results are returned by defaults;

Action: the act of returning; Ok,n,bad,ignore,die (one vote veto), done (one vote succeeded)

Such as:

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/07/F5/wKiom1nXFGHDaa7xAAAn1peDaRM807.png-wh_500x0-wm_ 3-wmp_4-s_2059377276.png "title=" Qq20171006132636.png "alt=" Wkiom1nxfghdaa7xaaan1pedarm807.png-wh_50 "/>

Module-path: Relative path, absolute path,/lib64/security/*

Module-arguments: Default module parameters;

Tcp_wrapper,sudo,nsswitch and Pam Security analysis