现在的linux在安全方面都已经很完善了,但是还存在一些安全隐患,这就需要我们在安全机制上的加强。
1、账号和口令
主要是/etc/passwd和/etc/shadow两个文件,/etc/passwd主要是存放账户,/etc/shadow主要是存放用户口令。
这两个文件非常的重要,是Linux的第一个关卡。用户要登录系统,都必须经过这两个文件的验证。
[root@Linux ~]# ls -l /etc/passwd
-rw-r--r-- 1 root root 1479 Aug 26 16:44 /etc/passwd
[root@Linux ~]# ls -l /etc/passwd
-rw-r--r-- 1 root root 1479 Aug 26 16:44 /etc/passwd
[root@Linux ~]# ls -l /etc/shadow
-r-------- 1 root root 967 Aug 26 16:44 /etc/shadow
-r-------- 1 root root 967 Aug 26 16:44 /etc/shadow
这里主要对用户的口令作一些基础的讲解,主要是口令要主要一些方面:
1、复杂性
一般不要将口令设置为自己的名字,生日号码,一些容易被猜中的简单的数字和英文单词。一般字母,数字、符号相组合。但是不能设置的太复杂,要自己使用要方便。
2、口令长度
一般来说设置8个字符以上的密码才算是比较安全,但不一定要设置8个字符,只要有一定的复杂性,密码一般都不会被别人破解
一般来说设置8个字符以上的密码才算是比较安全,但不一定要设置8个字符,只要有一定的复杂性,密码一般都不会被别人破解
3、定期更改口令
建议一般是一个月左右更改一个口令,可以更改以下文件来达到目的
建议一般是一个月左右更改一个口令,可以更改以下文件来达到目的
[root@Linux ~]# ls -l /etc/login.defs
-rw-r--r-- 1 root root 1503 Jan 9 2008 /etc/login.defs
-rw-r--r-- 1 root root 1503 Jan 9 2008 /etc/login.defs
看看这个文件的类容
[root@Linux ~]# cat /etc/login.defs
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
[root@Linux ~]# cat /etc/login.defs
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
USERGROUPS_ENAB yes
# Use MD5 or DES to encrypt password? Red Hat use MD5 by default.
MD5_CRYPT_ENAB yes
MD5_CRYPT_ENAB yes
PASS_MIN_LEN 5 口令的长度,一般可以设置口令长度为8,那么就将5更改为8
其它的配置:
PASS_MAX_DAYS 99999 每一个密码的最大使用天数,也就是重新需要更新密码的天数,99999表示不需要重新更改密码,为了安全,一般需要更改这个数字,如30,表示30天需要更改一次用户密码
PASS_MIN_DAYS 0 表示密码不可以被更改的天数,0表示可以随时的更改
PASS_WARN_AGE 7 在最大更改密码期限的前几天通知用户更改密码,7,表示提前一个星期来更改密码。
其实这些设置都在/etc/shadow文件中都一一对应。
root:$1$cZ6OuLeY$g1aS6If4GfMTd4xT7SwRx1:14115:0:99999:7:::
看看第4、5、6这三个字段,都是和上面的一一对应的关系。也可以根据具体的情况来手工修改/etc/shadow文件中特定用户的信息。
