Mainly from account security control, system guidance and login control, weak password detection, port scanning local control to learn

I. Basic Measures for account security

1.1 system account cleaning

• Set the Shell of the non login user to / sbin/nologin
• Lock account 'usermod -L' not used for a long time
• Delete useless account 'userdel -r'
• Lock the account files passwd and shadow to control that the user (including root) cannot create, delete or modify the account

[root@localhost ~]# chattr +i /etc/passwd /etc/shadow 'lock passwd and shadow + i'
[root@localhost ~]# Ls attr / etc / passwd / etc / shadow 'LS check whether the attr is locked, that is, check the status'    
----i----------- /etc/passwd    'locking'
----i----------- /etc/shadow    'locking'

+i lock - i unlock

lsattr to see if it is locked

Practical exercises:

[root@localhost ~]# chattr +i /etc/passwd /etc/shadow 'lock account file'
[root@localhost ~]# lsattr /etc/passwd /etc/shadow 'view account file status'
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# id zhangsan 'check whether the test account exists'
id: zhangsan: no such user  'No feedback'
[root@localhost ~]# useradd lisi 'create lisi'
useradd: Unable to open /etc/passwd    'Feedback: unable to open account file for modification'
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow 'unlock'
[root@localhost ~]# useradd lisi 'create lisi again'
[root@localhost ~]# passwd lisi
//Change the password for user lisi.
//New password:
//Invalid password: password is less than 8 characters
//Reenter new password:
passwd: All authentication tokens have been successfully updated. 'Success'
[root@localhost ~]# lsattr /etc/passwd /etc/shadow 'now check the status of the account file'
---------------- /etc/passwd
---------------- /etc/shadow
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow 'lock again'
[root@localhost ~]# userdel lisi 'delete lisi'
userdel: Unable to open /etc/passwd    'Feedback cannot be deleted'
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow 'unlock account file'
[root@localhost ~]# userdel lisi 'delete again'
[root@localhost ~]# id lisi 'view lisi'
id: lisi: no such user  'Delete successful'
[root@localhost ~]# ls /home 'view home directory of ordinary users'
gsy  lisi   'lisi 's home directory is still there because it was not deleted-r Recursive deletion'
[root@localhost ~]# rm -rf /home/lisi 'force delete'
[root@localhost ~]# ls /home
gsy

1.2 password security control

• Set password validity
• Require the user to change the password at the next login

[root@localhost ~]# vim /etc/login.defs' enter default configuration file '
......
PASS_MAX_DAYS   99999   'The default is 99999 days'

PASS_MAX_DAYS   30  'Can be modified to 30 day validation first'

Modifying the default profile is applicable to user creation after the time point after saving the modified profile. This method does not change the password validity of the created user

[root @ localhost ~] (tail - 3 / etc / shadow 'view the last three lines of the account password file'
tcpdump:!!:18192::::::
gsy:$6$4r65p5GBvUZhGlnz$Cs.RsqZdbDij5eQeIxWRi3f4VERzZFsp1TSkgaURI3d0Beafr8TT//iBETmpgEsW//yoHoqfvL9k2BwmGQlx51::0:'99999':7:::      
'99999 marked in single quotation marks is the validity period of gsy user's password'
apache:!!:18213::::::
[root @ localhost ~] (useradd lisi 'create lisi'
Creating mailbox file: file already exists
 [root @ localhost ~] (passwd Lisi 'set password'
Change the password for user lisi.
New password:
Invalid password: password is less than 8 characters
 Reenter new password:
passwd: all authentication tokens have been successfully updated.
[root @ localhost ~] (tail - 3 / etc / shadow 'view the last three lines'
gsy:$6$4r65p5GBvUZhGlnz$Cs.RsqZdbDij5eQeIxWRi3f4VERzZFsp1TSkgaURI3d0Beafr8TT//iBETmpgEsW//yoHoqfvL9k2BwmGQlx51::0:99999:7:::
apache:!!:18213::::::
lisi:$6$zpsumHLN$TvYWGP5LO4IVnjMnrEjUqGZeoDr7mtVFMqQ5DRjwTo1X6j5wHvSc7ZlJATPvlH2bFmp3vmZSpnqJ7ZgTL3MSu1:18214:0:'30':7:::
'the password of the newly created lisi is valid for 30 days'

The password validity setting command for an existing user is

[root@localhost ~]# chage -M time user name

[root@localhost ~]# chage -M 99999 lisi 
'Set up lisi The password is valid for 99999'
[root@localhost ~]# tail -3 /etc/shadow 'view'
gsy:$6$4r65p5GBvUZhGlnz$Cs.RsqZdbDij5eQeIxWRi3f4VERzZFsp1TSkgaURI3d0Beafr8TT//iBETmpgEsW//yoHoqfvL9k2BwmGQlx51::0:99999:7:::
apache:!!:18213::::::
lisi:$6$zpsumHLN$TvYWGP5LO4IVnjMnrEjUqGZeoDr7mtVFMqQ5DRjwTo1X6j5wHvSc7ZlJATPvlH2bFmp3vmZSpnqJ7ZgTL3MSu1:18214:0:'99999':7:::

Password validity setting

1. How to set the created user: chage -M 30

2. How to set the user that is not created: use vim editor to go to / etc/longin.defs file

Default file for login.defs login

Restore the validity period in / etc/login.defs to the default date

#It is a comment symbol. If there is an X at the beginning of the line, it will not be executed

# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000

: wq     'Save exit'     

[root@localhost ~]# chage --help
 Usage: chage [options] login

Options:
  -D, - lastday set the last password setting time to "latest date"
  -E, --expiredate expiration date sets the account expiration time to "expiration date"
  -h, --help display this help message and launch
  -I. after - INACTIVE inactive expires for several days, set the password to invalid status
  -l, --list display account age information
  -M, - Minimum days set the minimum number of days between two password changes to "minimum days"
  -M, --maxdays Max days sets the maximum number of days between password changes to Max days
  -R, -- root chroot? Dir chroot to
  -W, -- warnings warning days set expiration warning days to warning days

Practical exercises:

[root @ localhost ~] (chage - d 0 Lisi 'means to change the password in time at the next login'
[root @ localhost etc] ා Su Lisi 'without - will switch users, will not switch directories'
[lisi@localhost etc]$ exit
 [root @ localhost etc] ා Su - Lisi 'band - not only switch users, but also switch to users' home directory'
Last login: on April 14, November 14, 14:00:17, CST 2019pts / 0
[lisi@localhost ~]$ exit
 [root @ localhost lisi] ා Su GSY 'switch to the same level user to log in to lisi'
[gsy@localhost lisi]$ su lisi
 Password:
You need to change your password now (root enforcement)
Change the press password for lisi.
(current) UNIX password: 'is the current password'
New password:
Invalid password: the password is too similar to the original one
 New password:
Invalid password: the password is too similar to the original one
 New password:
Invalid password: the password is too similar to the original one

su: the maximum number of service retries has been exceeded
[gsy@localhost lisi]$ 

Summary:

Chage-d 0 user name: change the password in time the next time you log in (the modified password does not allow consecutive numbers and letters, which can be zxc196! Type)

1.3 command history restrictions

• Reduce the number of commands recorded

[root@localhost lisi]# vim /etc/profile 'enter / etc/profile'
HOSTNAME=`/usr/bin/hostname 2>/dev/null`
HISTSIZE=1000   'The default value is 1000, which can be modified to 200 to reduce the history command cache'

• Automatically clear command history on logout

[root@localhost /]# vim ~/.bash_logout  
'Get into root Home directory~Log off variable file in to configure'

# ~/.bash_logout
history -c  'increase'
clear   'increase'
~        

1.4 automatic cancellation of terminal

• Auto logout after 600s idle

[root@localhost /]# vim ~/.bash_profile 'edit the environment variable of the root directory'
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi
'export TIMOUT=600'     'Single quotation mark is not included, here is the added item, more than 600 s Will automatically log out'
# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH

Summary:

The cancellation time should not be too fast, otherwise it is not easy to modify it back

Two: use su command to switch users

2.1 purpose and usage

• Purpose: Substitute User, switch user
• Format:

[root @ localhost /] (Su - target user
 Usage:
 su [options] [-] [USER [parameters]...]

Change the valid USER id and group id to the USER's id.
Single - treated as - l. If USER is not specified, root is assumed.

Options:
 -M, - P, - preserve environment does not reset environment variables
 -G, -- group < group > specify primary group
 -G, -- sup group < group > specify a secondary group

 -, - L, - login makes the shell a login shell
 -c, -- command < command > use - c to pass a command to the shell
 --Session command < command > use - c to pass a command to the shell
                                 Without creating a new session
 -F, - fast passes the - f option (csh or tcsh) to the shell
 -S, -- shell < shell > Run shell if / etc/shells allows

 -h, --help display this help and exit
 -V, - version output version information and exit

2.2 password verification

• root switches to any user without password verification
• When a normal user switches to another user, the password of the target user needs to be verified

[root @ localhost /] (Su - GSY 'with - option ID will use the target user's login shell environment'
Last login: on April 14, November 14, 14:16:48, CST 2019pts / 0
[gsy@localhost ~]$ su - root
 Password:
Last login: on April 14, November 14, 14:28:57, CST 2019pts / 0
[root@localhost ~]# whoami
root
[root@localhost ~]# 

2.3 restrict users of su command

• Users who are allowed to use the su command are added to the wheel group, and users in the wheel group can use su to switch user commands

[root@localhost ~]# id gsy
uid=1000(gsy) gid=1000(gsy) group=1000(gsy)
[root@localhost ~]# cat /etc/group | grep wheel
wheel:x:10:  
[root@localhost ~]# cat /etc/gshadow | grep wheel
wheel:::
[root@localhost ~]# gpasswd -a gsy wheel
//Adding user 'gsy' to the 'wheel' group
[root@localhost ~]# id gsy
uid=1000(gsy) gid=1000(gsy) group=1000(gsy),10(wheel)
[root@localhost ~]# cat /etc/group | grep wheel
wheel:x:10:gsy
[root@localhost ~]# cat /etc/gshadow | grep wheel
wheel:::gsy

• Enable PAM? Wheel authentication module

[root@localhost ~]# vim /etc/pam.d/su
%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid    'hold#Delete to enable '
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
//Remember wq save exit

pam.su needs to be enabled manually. When it is not enabled, by default, all users can use Su to switch to other users. Even users who are not in the wheel can use su

[root@localhost pam.d]# id gsy 'see which group gsy is in'
uid=1000(gsy) gid=1000(gsy) group=1000(gsy),10(wheel)
[root@localhost pam.d]# id lisi 'view which group lisi is in'
uid=1001(lisi) gid=1001(lisi) group=1001(lisi)
[root@localhost pam.d]# id root 'view root, not in wheel'
uid=0(root) gid=0(root) group=0(root)
[root@localhost pam.d]# su gsy 'switch to normal user directly'
[gsy@localhost pam.d]$ su lisi  'Switch users of the same level'
//Password:
[lisi@localhost pam.d]$ su gsy  'lisi Switch to gsy'
//Password:
su: Deny authority    'su Deny authority'
[lisi@localhost pam.d]$ su root 'lisi switch root'
//Password:
su: Deny authority
[lisi@localhost pam.d]$ exit    'Back to previous user'
exit
[gsy@localhost pam.d]$ exit 'Back to previous user'
exit
[root@localhost pam.d]# gpasswd -a lisi wheel 'add lisi to the wheel group'
//Adding user 'lisi' to the 'wheel' group
[root@localhost pam.d]# su lisi
[lisi@localhost pam.d]$ su gsy  'Switch to again gsy'
//Password:
[gsy@localhost pam.d]$  'Handover success'

2.4 viewing su operation records

• Security log file; / var/log/secure

[root@localhost /]# cd /var/log
[root@localhost log]# ls
anaconda  dmesg               lastlog   qemu-ga            sssd                    wtmp            yum.log
audit     dmesg.old           libvirt   rhsm               tallylog                Xorg.0.log
boot.log  firewalld           maillog   sa                 tuned                   Xorg.0.log.old
btmp      gdm                 messages  samba              vmware-vgauthsvc.log.0  Xorg.1.log
chrony    glusterfs           ntpstats  'secure'             vmware-vmsvc.log        Xorg.1.log.old
cron      grubby_prune_debug  pluto     speech-dispatcher  vmware-vmusr.log        Xorg.2.log
cups      httpd               ppp       spooler            wpa_supplicant.log      Xorg.9.log

III. PAM security certification in Liunx

3.1 safety hazards of Su command

• Security risks of su command
  • By default, any user is allowed to use su command, so malicious users have the opportunity to repeatedly try the login password of other users (such as root), which brings security risks
  • In order to strengthen the use control of su command, only a few users can use su command to switch with the help of PAM authentication module
• PAM (Pluggable Authentication Modules) is an efficient, flexible and convenient user level authentication mode, which is also widely used in Linux servers

3.2 PAM certification principle

• PAM authentication generally follows the order: Service > PAM > PAM *. So
• PAM authentication first determines which service, then loads the corresponding PAM configuration file (located under /etc/pam.d), and finally calls the authentication file (located under /lib/security) for security authentication.
• When the user accesses the server, a service program of the server sends the user's request to the PAM module for authentication
• Different applications have different PAM modules

. so is the module file

3.3 composition of PAM certification

• To check whether a program supports PAM authentication, you can use the ls command to check / etc/pam.d, and then the pipeline symbol retrieves the program you want to query; for example, to check whether su supports PAM module authentication
  • ls /etc/pam.d | grep su
• Check the PAM configuration file of Su: cat /etc/pam.d/su
  • Each line is an independent authentication process
  • Each row can be divided into three fields
  • Authentication type
  • control type
  • PAM module and its parameters

3.4 PAM safety certification process

• The control type can also ride Control Flags, which is used for the return result of PAM verification type
  • 1. Continue if the required verification fails, but return Fail
  • 2. If the request verification fails, the whole verification process will be ended immediately and fail (the most important step) will be returned
  • 3. If the verification is successful, it will return immediately and will not continue. Otherwise, ignore the result and continue
  • 4.optional is not used for authentication, only information is displayed (usually user session type)

IV. use sudo mechanism to enhance authority

4.1 disadvantages of Su command

By default, any user is allowed to use su command, so malicious users have the opportunity to repeatedly try the login password of other users (such as root), which brings security risks

4.2 use and usage of sudo command

• Purpose: to execute authorized commands as other users (such as root)
• Usage: sudo authorization command

4.3 configure sudo authorization

• visudo command or vim /etc/sudoers
• Record format: user host name list = command program list

[root@localhost log]# visudo
......
//User host name list = command program list
%wheel  ALL = NOPASSWD:ALL
jerry   localhost = /sbin/ifconfig
syrianer    localhost = /sbin/*,!/sbin/ifconfig,!/sbin/route
'General symbols can be used*And reverse sign!'
Cmnd_Alias  PKGTOOLS = /bin/rpm,/usr/bin/yum
mike    localhost = PKGTOOLS

Remarks:

You can use the wildcard * and reverse symbols!

The name list of users and hosts is separated by tabs, and there are spaces around the = sign. If there are two or more commands in the command program list, the commands are separated by commas,

The command program should write the absolute path, which should be used for checking

Host name view with hostname

Percentage sign in front of user field represents group

localhost is the local host name

! / sbin/ifconfig except / sbin/ifconfig

Cmnd ﹣ alias command alias PKGTOOLS (Chinese meaning packaging pool) alias, which is equivalent to arranging related commands into a group, which can be used for the host column table = alias

Similar aliases include user alias, host alias

[root @ localhost gsy] ා id gsy 'view the id of gsy'
uid=1000(gsy) gid=1000(gsy) group = 1000(gsy)
[root @ localhost GSY] ා id lisi 'view the id of lisi'
id: lisi: no such user 'no lisi'
[root @ localhost GSY] ා useradd lisi 'create test user lisi'
[root@localhost gsy]# passwd lisi
 Change the password for user lisi.
New password:
Invalid password: password failed dictionary check - it does not contain enough different characters
 Reenter new password:
passwd: all authentication tokens have been successfully updated.
[root @ localhost GSY] ා id lisi 'view the id of lisi'
uid=1001(lisi) gid=1001(lisi) group = 1001(lisi)
[root @ localhost GSY] ා ifconfig 'to modify the ip address as an example, first check the ip address'
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.139.153  netmask 255.255.255.0  broadcast 192.168.139.255
        inet6 fe80::413b:c9ad:e0e:1afc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d6:c0:8a  txqueuelen 1000  (Ethernet)
        RX packets 741  bytes 574698 (561.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 332  bytes 31777 (31.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@localhost gsy]# su lisi

[Lisi @ localhost GSY] $ifconfig ens33 10.10.10.10 'enter the command to modify ip address normally first'
SIOCSIFADDR: operation not allowed
 SIOCSIFFLAGS: operation not allowed 'feedback cannot be performed, no permission'
[Lisi @ localhost GSY] $sudo ifconfig ens33 10.10.10.10 'sudo rights enforcement'

We trust that you have learned the daily precautions from your system administrator.
To sum up, there are three points:

    #1) respect the privacy of others.
    #2) consider (consequences and risks) before entering.
    #3) the greater the power, the greater the responsibility.

Password for [sudo] lisi:    
lisi is not in the sudoers file. It will be reported 'feedback said that lisi no longer has sudoers file, and will check this file later'
[lisi@localhost gsy]$ cd /  
[Lisi @ localhost /] $sudo - L 'view sudo permissions'
Password for [sudo] lisi:
Sorry, user lisi cannot run sudo on localhost 'show lsii can't use sudo'
[lisi@localhost /]$ su root
 Password:
[root @ localhost /] (gpasswd - a lisi wheel 'add lisi to the wheel group'
Adding user 'lisi' to the 'wheel' group
[root@localhost /]# id lisi
 uid=1001(lisi) gid=1001(lisi) group = 1001(lisi),10(wheel)
[root@localhost /]# su lisi
[lisi@localhost /]$ ifconfig ens33 10.10.10.10
 SIOCSIFADDR: operation not allowed
 SIOCSIFFLAGS: operation not allowed
[lisi@localhost /]$ sudo ifconfig ens33 10.10.10.10

We trust that you have learned the daily precautions from your system administrator.
To sum up, there are three points:

    #1) respect the privacy of others.
    #2) consider (consequences and risks) before entering.
    #3) the greater the power, the greater the responsibility.

Password for [sudo] lisi:
SIOCSIFADDR: file already exists
[lisi@localhost /]$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.10  netmask 255.0.0.0  broadcast 10.255.255.255
        inet6 fe80::413b:c9ad:e0e:1afc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d6:c0:8a  txqueuelen 1000  (Ethernet)
        RX packets 2581  bytes 697151 (680.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 525  bytes 50661 (49.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[lisi@localhost /]$ sudo -l
 Password for [sudo] lisi:
Match default entry for% s on% s:
    !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User lisi can run the following command on localhost:
    (ALL) ALL

At this time, query the sudoers file, / etc/sudoers. If you use lisi to go to vim /etc/sudoers, you will be prompted that you do not have sufficient permissions. You need su to root and then go to vim

[root@localhost /]# grep -v "^#" /etc/sudoers >> 1.txt  
'The order is to/etc/sudoers Valid command input to 1.txt in'
[root@localhost /]# cat 1.txt
Defaults   !visiblepw

Defaults    always_set_home
Defaults    match_group_by_gid

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

root    ALL=(ALL)   ALL

%wheel  ALL=(ALL)   ALL 'stay wheel Users in the group can perform all operations on all hosts'

[root@localhost /]# VIM / etc / sudoers' VIM enters configuration file '

## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL     'This order, above is the explanation'

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

You can manually configure an entry in / etc/sudoers

[root@localhost /]# which ifconfig 'find the absolute path of the command first'
/usr/sbin/ifconfig
[root@localhost /]# Hostname 'view hostname'
localhost.localdomain
[root@localhost /]# vim /etc/sudoers
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL
lisi    localhost = /usr/sbin/ifconfig  'New to this line'
## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL
: wq! Preservation
[root@localhost /]# gpasswd -d lisi wheel 'Remove lisi from wheel'
//Removing user 'lisi' from the 'wheel' group
[root@localhost /]# id lisi
uid=1001(lisi) gid=1001(lisi) group=1001(lisi)
[root@localhost /]# su lisi 'switch lisi'
[lisi@localhost /]$ ifconfig ens33 13.13.13.13i 'Direct use command'    
SIOCSIFADDR: Operation not allowed
SIOCSIFFLAGS: Operation not allowed
[lisi@localhost /]$ sudo ifconfig ens33 13.13.13.13 'Add sudo'
[sudo] lisi Password:
[lisi@localhost /]$ ifconfig    'See ens33 Configuration, found modified'
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 13.13.13.13  netmask 255.0.0.0  broadcast 13.255.255.255
        inet6 fe80::413b:c9ad:e0e:1afc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d6:c0:8a  txqueuelen 1000  (Ethernet)
        RX packets 4927  bytes 874213 (853.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 812  bytes 95433 (93.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[lisi@localhost /]$ sudo -l 'Look again sudo Authority'
//Match default entry for% s on% s:
    !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

//User lisi can run the following command on localhost:
    (root) /usr/sbin/ifconfig   'Available permissions'
[lisi@localhost /]$ 

4.4 viewing sudo operation records

• Default logfile configuration needs to be enabled
• Default log file / var/log/sudo

[root@localhost ~]# visudo 'or vim /etc/sudoers can also'

......
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
lisi    localhost = /usr/sbin/ifconfig
Defaults        logfile = "/var/log/sudo"   'Input settings'
## Allows members of the 'sys' group to run networking, software,

sduo operations performed after the default configuration file / var/log/sudo is enabled will be recorded in this file

[root@localhost ~]# cat /var/log/sudo   
Nov 14 19:24:15 : lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ;
    COMMAND=/sbin/ifconfig ens33 14.14.14.14
Nov 14 19:25:00 : lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ; COMMAND=list
Nov 14 19:28:28 : lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ;
    COMMAND=/sbin/ifconfig ens33 15.15.15.15

su -l is also an instruction to switch to root

V. switch safety control

5.1 adjusting BIOS boot settings

• Set the first boot device as the hard disk of the current system
• Do not boot the system from other devices (CD, U SB, network)
• Set the security level to isetup and set the administrator password

Note: it is forbidden to boot the system from other devices. I feel that if you forget the root password, you may not be able to modify it from the CD-ROM drive, so please operate carefully

5.2 GRUB limits

• Using Grub2 mkpasswd pbkdf2 to generate the key
• Modify / etc / grub.d/00'header file to add password record
• Generate a new grub.cfg configuration file

pbkdf2 is an algorithm

Use the arrow keys to change the selection. Press "e" to edit the selected item, or "c" as the command prompt. The selected entry will start automatically in 4s

Press e's interface

Press the interface of c

You can enter editing directly, and you can set password for it to ensure security.

To set grub password:

[root@localhost ~]# cd /boot/grub2 'switch to kernel / boot/grub2 directory'
[root@localhost grub2]# ls' view '
device.map  fonts  grub.cfg  grubenv  i386-pc  locale
[root@localhost grub2]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak 'make a backup of the configuration file before you do the operation, so as to prevent the error from being unrecoverable'
[root@localhost grub2]# ls' view '
device.map  fonts  grub.cfg  'grub.cfg.bak'  grubenv  i386-pc  locale   'Backup profile succeeded'
[root@localhost grub2]# cd /etc/grub.d / 'switch to the configuration / etc/grub.d directory'
[root@localhost grub.d]# ls' view '
00_header  01_users  20_linux_xen     30_os-prober  41_custom
00_tuned   10_linux  20_ppc_terminfo  40_custom     README
[root@localhost grub.d]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak 
'hold grub Head file backup for'
[root@localhost grub.d]# ls
00_header      00_tuned  10_linux      20_ppc_terminfo  40_custom  README
00_header.bak  01_users  20_linux_xen  30_os-prober     41_custom
[root@localhost grub.d]# Grub2 mkpasswd pbkdf2 'use mkpasswd pbkdf2 algorithm to encrypt password'
//Enter password: 'enter password to set'
Reenter password: 
PBKDF2 hash of your password is     grub.pbkdf2.sha512.10000.0A69A269813E2E719399E15405F9006F0370B5812D9912FCC8E3F10E565AA70202B19594A592F399B6F96240E6E6572D6F9CEC1E0F032962A315D97E61E90.7291C86820FB883DC5D1339D991292DED755221AEAA381AF70232A7223CCA6AAE4039D3DDEA9E9400613894B6BA29D81FD1B72386285B7A534CFDA0CAD881AC7 'grub.pbkdf2.sha512 Next is the password, copy and paste'
[root@localhost grub.d]# vim /etc/grub.d/00_header

if [ "x${GRUB_BADRAM}" != "x" ] ; then
  echo "badram ${GRUB_BADRAM}"
fi
cat << EOF          'Edit from here'
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.0A69A269813E2E719399E15405F9006F0370B5812D9912FCC8E3F10E565AA70202B19594A592F399B6F96240E6E6572D6F9CEC1E0F032962A315D97E61E90.7291C86820FB883DC5D1339D991292DED755221AEAA381AF70232A7223CCA6AAE4039D3DDEA9E9400613894B6BA29D81FD1B72386285B7A534CFDA0CAD881AC7
EOF
: wq 
[root@localhost grub.d]# grub2-mkconfig -o /boot/grub2/grub.cfg 're output configuration file'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-693.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-693.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-33c124456fa34c50a98483245dfea58d
Found initrd image: /boot/initramfs-0-rescue-33c124456fa34c50a98483245dfea58d.img
done
[root@localhost grub.d]# 
[root@localhost grub.d]# init 6 'restart'

Press e or c

The wrong user or password will exit, and the correct one will enter safely

Vi. terminal login security control

6.1 restrict root to log in only at the secure terminal

• Security terminal configuration / etc/securetty
• If you don't want root to log in any more, comment out the one

[root@localhost etc]# vim /etc/securetty

#console    'Default is not#, you can log in. If you don't want users to log in from consle, you can comment it out
vc/1
vc/2
vc/3
: wq! Modify to the desired result and save to exit

6.2 prohibit ordinary users from logging in

• Create / etc/nologin file (used for maintenance. Setting this file can facilitate and effectively prevent variables from appearing)
• Delete nologin file or restore to normal after restart

[root@localhost ~]# touch /etc/nologin 'Disable normal user login'
[root@localhost etc]# find -name "nologin"  
./nologin
[root@localhost etc]# rm -rf /etc/nologin 'delete the / etc/nologin file to restore normal'

VII: system weak password detection

7.1 John the Ripper, JR for short

• A cryptanalysis tool that supports dictionary style brute force cracking
• Through password analysis of shadow file, password strength can be detected
• Unable to download via yum, where you want to comment + 1

[root@localhost etc]# mkdir /aaa
[root@localhost etc]# mount.cifs //192.168.254.10/linuxs /aaa
Password for root@//192.168.254.10/linuxs:  
[root@localhost etc]# cd /aaa
[root@localhost aaa]# ls
apr-1.4.6.tar.gz  apr-util-1.4.1.tar.gz  httpd-2.4.2.tar.gz  john-1.8.0.tar.gz
[root@localhost aaa]# tar xzvf john-1.8.0.tar.gz -C /mnt
john-1.8.0/README
john-1.8.0/doc/CHANGES
john-1.8.0/doc/CONFIG
......
[root@localhost aaa]# ls /mnt
john-1.8.0
[root@localhost aaa]# cd /mnt/john-1.8.0/
[root@localhost john-1.8.0]# ls
doc  README  run  src   'readme an instruction manual, doc Documents are useless, src Source file directory, which needs to be configured and installed'
[root@localhost john-1.8.0]# cd run
[root@localhost run]# ls
ascii.chr   john.conf     mailer   password.lst
digits.chr  lm_ascii.chr  makechr  relbench
[root@localhost run]# ls /mnt/john-1.8.0/src
AFS_fmt.c   common.h    external.c  LM_fmt.c      misc.h      rpp.h       tty.h
alpha.h     compiler.c  external.h  loader.c      nonstd.c    rules.c     unafs.c
alpha.S     compiler.h  formats.c   loader.h      options.c   rules.h     unique.c
batch.c     config.c    formats.h   logger.c      options.h   sboxes.c    unshadow.c
batch.h     config.h    getopt.c    logger.h      os.h        sboxes-s.c  vax.h
bench.c     cracker.c   getopt.h    Makefile      params.c    signals.c   wordlist.c
bench.h     cracker.h   ia64.h      Makefile.dep  params.h    signals.h   wordlist.h
best.c      crc32.c     idle.c      math.c        pa-risc.h   single.c    x86-64.h
best.sh     crc32.h     idle.h      math.h        path.c      single.h    x86-64.S
BF_fmt.c    DES_bs_b.c  inc.c       MD5_fmt.c     path.h      sparc32.h   x86-any.h
BF_std.c    DES_bs.c    inc.h       MD5_std.c     ppc32alt.h  sparc64.h   x86-mmx.h
BF_std.h    DES_bs.h    john.asm    MD5_std.h     ppc32.h     status.c    x86-mmx.S
BSDI_fmt.c  DES_fmt.c   john.c      memory.c      ppc64alt.h  status.h    x86.S
c3_fmt.c    DES_std.c   john.com    memory.h      ppc64.h     symlink.c   x86-sse.h
charset.c   DES_std.h   john.h      mips32.h      recovery.c  times.h     x86-sse.S
charset.h   detect.c    list.c      mips64.h      recovery.h  trip_fmt.c
common.c    dummy.c     list.h      misc.c        rpp.c       tty.c

Installation of this toolkit requires manual compilation and installation

[root@localhost run]# yum install gcc gcc-c++ -y 'install environment package'
//If yum.pid is locked, kill -9 pid first, and then go to Yum for installation
//Installed as a dependency:
  cpp.x86_64 0:4.8.5-39.el7              glibc-devel.x86_64 0:2.17-292.el7             
  glibc-headers.x86_64 0:2.17-292.el7    kernel-headers.x86_64 0:3.10.0-1062.4.3.el7   
  libmpc.x86_64 0:1.0.1-3.el7            libstdc++-devel.x86_64 0:4.8.5-39.el7         

//Upgraded as a dependency:
  glibc.x86_64 0:2.17-292.el7              glibc-common.x86_64 0:2.17-292.el7         
  libgcc.x86_64 0:4.8.5-39.el7             libgomp.x86_64 0:4.8.5-39.el7              
  libstdc++.x86_64 0:4.8.5-39.el7         

//Complete!
[root@localhost run]# ls /mnt/john-1.8.0/src
AFS_fmt.c   common.h    external.c  LM_fmt.c      misc.h      rpp.h       tty.h
alpha.h     compiler.c  external.h  loader.c      nonstd.c    rules.c     unafs.c
alpha.S     compiler.h  formats.c   loader.h      options.c   rules.h     unique.c
batch.c     config.c    formats.h   logger.c      options.h   sboxes.c    unshadow.c
batch.h     config.h    getopt.c    logger.h      os.h        sboxes-s.c  vax.h
bench.c     cracker.c   getopt.h    Makefile      params.c    signals.c   wordlist.c
bench.h     cracker.h   ia64.h      Makefile.dep  params.h    signals.h   wordlist.h
best.c      crc32.c     idle.c      math.c        pa-risc.h   single.c    x86-64.h
best.sh     crc32.h     idle.h      math.h        path.c      single.h    x86-64.S
BF_fmt.c    DES_bs_b.c  inc.c       MD5_fmt.c     path.h      sparc32.h   x86-any.h
BF_std.c    DES_bs.c    inc.h       MD5_std.c     ppc32alt.h  sparc64.h   x86-mmx.h
BF_std.h    DES_bs.h    john.asm    MD5_std.h     ppc32.h     status.c    x86-mmx.S
BSDI_fmt.c  DES_fmt.c   john.c      memory.c      ppc64alt.h  status.h    x86.S
c3_fmt.c    DES_std.c   john.com    memory.h      ppc64.h     symlink.c   x86-sse.h
charset.c   DES_std.h   john.h      mips32.h      recovery.c  times.h     x86-sse.S
charset.h   detect.c    list.c      mips64.h      recovery.h  trip_fmt.c
common.c    dummy.c     list.h      misc.c        rpp.c       tty.c
[root@localhost run]# cd ../src
[root@localhost src]# make linux-x86-64
ln -sf x86-64.h arch.h
make ../run/john ../run/unshadow ../run/unafs ../run/unique \
    JOHN_OBJS="DES_fmt.o DES_std.o DES_bs.o DES_bs_b.o BSDI_fmt.o MD5_fmt.o MD5_std.o BF_fmt.o BF_std.o AFS_fmt.o LM_fmt.o trip_fmt.o dummy.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o crc32.o external.o formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o options.o params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o unshadow.o unafs.o unique.o c3_fmt.o x86-64.o" \
    CFLAGS="-c -Wall -Wdeclaration-after-statement -O2 -fomit-frame-pointer  -DHAVE_CRYPT" \
    LDFLAGS="-s  -lcrypt"
make[1]: Enter directory“/mnt/john-1.8.0/src"
......
rm -f ../run/unshadow
ln -s john ../run/unshadow
rm -f ../run/unafs
ln -s john ../run/unafs
rm -f ../run/unique
ln -s john ../run/unique
make[1]: Leave directory“/mnt/john-1.8.0/src"
[root@localhost src]# ls
doc  README  run  src
[root@localhost john-1.8.0]# cd run
[root@localhost run]# ls
ascii.chr   john       lm_ascii.chr  makechr       relbench  unique
digits.chr  john.conf  mailer        'password.lst'  unafs     unshadow
[root@localhost run]# . / john /etc/passwd /etc/shadow 'run john to view the account file'
Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status   'It will stop for a while, and cannot operate at this time, because the password is matching'
123123           (root) 'It's a match'
123123           (lisi)
123123           (gsy)
3g 0:00:00:25 100% 2/3 0.1184g/s 364.1p/s 402.0c/s 402.0C/s leslie..boston
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[root@localhost run]# 

password.list is a password dictionary. john's working principle is to match the password in the account file with the password dictionary, so as to verify whether the security level of the password is high

7.2 installation of JR tools

• Installation method: make clean system type
• The main program file is john

7.3 detect weak password account

• Get shadow file of Linux/Unix server
• Execute john program with shadow file as parameter

7.4 brute force cracking of password file

• Prepare the password dictionary file, which defaults to password.lst
• Execute john program, combine -- wordlist = dictionary file

VIII: network port scanning

8.1 NMAP

• A powerful network scanning and security detection tool
• Official website: http://nmap.org/
• Install the nmap-6.40-7.el7.x86_.rpm package from the CentOS 7.3 CD
• You can download it using yum

8.2 scan syntax for nmap

nmap [scan type] [options] < scan target... >

8.3 common scan types

-syn scan of SS TCP

-sT view the TCP port of the target host for example: nmap -sT target IP address

-Scan of fin in SF TCP

-sU view the UDP port of the target host for example: nmap -sU target IP address

-SP Ping scan

--help translation

[root@localhost run]# nmap --help

Usage: nmap [Scan Type(s)] [Options] {target specification}
Usage method:nmap[Scan type][option]{Target specification}
TARGET SPECIFICATION:
Target specification:
Can pass hostnames, IP addresses, networks, etc.
Host name IP Address, network, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1;
for example:scanme.nmap.org, microsoft.com/24, 192.168.0.1;
10.0.0-255.1-254
10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iL <inputfilename>:From host/Input of network list
-iR <num hosts>: Choose random targets
-iR <num Host>:Random target selection
--exclude <host1[,host2][,host3],...
-Exclude< host1 [, host2] [host3],...
>: Exclude hosts/networks
>:Exclude host/network
--excludefile <exclude_file>: Exclude list from file
-exclude_file>:Exclude list from file
HOST DISCOVERY:
Owner found:
-sL: List Scan - simply list targets to scan
 List scanning-Simply list the targets to scan
-sn: Ping Scan - disable port scan
Ping scanning-Disable port scanning
-Pn: Treat all hosts as online -- skip host discovery
-Pn:Treat all hosts Online-Skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP Discover the given port
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PE/PP/PM: ICMP echo,Timestamp and netmask Request discovery probe
-PO[protocol list]: IP Protocol Ping
-PO[Protocol list]:IP Agreement Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-n/-R:Never do DNS analysis/Always parsing[default:Sometimes]
--dns-servers <serv1[,serv2],...
-dns The server<Namely serv1 [,serv2]...
>: Specify custom DNS servers
>:Specify custom DNS The server
--system-dns: Use OS's DNS resolver
-system DNS:Use OS Of DNS Parser
--traceroute: Trace hop path to each host
-traceroute:Trace to each host's hop Route
SCAN TECHNIQUES:
scanning technique:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scanning
-sU: UDP Scan
- su: UDP scanning
-sN/sF/sX: TCP Null, FIN, and Xmas scans
-sN/sF/sX: TCP Null, FIN，And Christmas scan
--scanflags <flags>: Customize TCP scan flags
-scanflags <flags>:custom TCP Scanning mark
-sI <zombie host[:probeport]>: Idle scan
-sI <zombie host[:probeport]>:idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
SCTP INIT/COOKIE-ECHO scanning
-sO: IP protocol scan
IP Protocol scan
-b <FTP relay host>: FTP bounce scan
-b <FTP relay host>:FTP Rebound scan
PORT SPECIFICATION AND SCAN ORDER:
Port specifications and scan order:
-p <port ranges>: Only scan specified ports
-p <Port range>:Scan only specified ports
Ex: -p22;
example:Twenty-second place;
-p1-65535;
p1 - 65535;
-p U:53,111,137,T:21-25,80,139,8080,S:9
T - p U: 53111137: 21 - 25 day,80139 year,8080 year,history:9
-F: Fast mode - Scan fewer ports than the default scan
 Fast mode-Less scanned ports than Default scan
-r: Scan ports consecutively - don't randomize
-r:Continuous scan port-Don't randomize
--top-ports <number>: Scan <number> most common ports
-Top port<number>:scanning<number>Most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
-Port ratio<ratio>:Scan port ratio<ratio>More common
SERVICE/VERSION DETECTION:
service/Version checking:
-sV: Probe open ports to determine service/version info
 Probe open ports to determine service/Version information
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
—Version strength<level>:Set from 0(light)To 9(Try all probes)
--version-light: Limit to most likely probes (intensity 2)
-Version light:Limit the most likely detection(Strength 2)
--version-all: Try every single probe (intensity 9)
-version-all:Try each probe(Strength 9)
--version-trace: Show detailed version scan activity (for debugging)
-Version tracking:Show detailed version scan activity(For debugging)
SCRIPT SCAN:
Script scanning:
-sC: equivalent to --script=default
-sC:Equivalent to—— script=Default value
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
-script=<Lua scripts>: <Lua scripts>Is a comma separated list
directories, script-files or script-categories
 Directory, script file, or script category
--script-args=<n1=v1,[n2=v2,...
-script-args = < n1 = v1, n2 = v2,...
]>: provide arguments to scripts
]>:Provide parameters for the script
--script-args-file=filename: provide NSE script args in a file
-script-args-file=filename:Available in file NSE Script parameters
--script-trace: Show all data sent and received
-Script tracking:Show all data sent and received
--script-updatedb: Update the script database.
-script-updatedb:Update script database.
--script-help=<Lua scripts>: Show help about scripts.
-script-help=<Lua scripts>:Displays help on scripts.
<Lua scripts> is a comma separted list of script-files or
<Lua scripts>Is a comma separated list of script files or
script-categories.
script-categories. 
OS DETECTION:
Operating system detection:
-O: Enable OS detection
 Enable operating system detection
--osscan-limit: Limit OS detection to promising targets
-osscan-limit:take OS Detection is limited to promising targets
--osscan-guess: Guess OS more aggressively
-osscan-guess:To speculate more boldly
TIMING AND PERFORMANCE:
Time and performance:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
Use<time>Options in seconds, or additional'ms'(Millisecond)，
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
's'(second)，'m'(Minute)，or'h'(hour)Value(Such as 30 m). 
-T<0-5>: Set timing template (higher is faster)
-T<0-5>:Set timing template(The faster the higher, the faster.)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
-min-hostgroup/max-hostgroup <size>:Parallel host scan group size
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
-Minimum parallelism/Maximum parallelism<numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
-min-rtt-timeout / max-rtt-timeout initial-rtt-timeout <time>:Appoint
probe round trip time.
Detect round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
—max-retries <attempt>:The upper limit of port scan probe retransmission.
--host-timeout <time>: Give up on target after this long
-Host timeout<time>:After such a long time, give up the goal
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
—scan-delay/—max-scan-delay <time>:Adjust the delay between detectors
--min-rate <number>: Send packets no slower than <number> per second
—Minimum rate<number>:Send packets no less than per second<number>
--max-rate <number>: Send packets no faster than <number> per second
—Maximum rate<number>:Send packets no faster than per second<number>
FIREWALL/IDS EVASION AND SPOOFING:
firewall/IDS Evasion and deception:
-f;
- f;
--mtu <val>: fragment packets (optionally w/given MTU)
-mtu <val>:Fragment pack(Optional w/given mtu)
-D <decoy1,decoy2[,ME],...
- d < decoy1, decoy2[I],...
>: Cloak a scan with decoys
 Cover scan with decoys
-S <IP_Address>: Spoof source address
-S <IP_Address>:Spoof source address
-e <iface>: Use specified interface
-e <iface>:Use the specified interface
-g/--source-port <portnum>: Use given port number
-g/-Source port<portnum>:Use given port number
--data-length <num>: Append random data to sent packets
-Data length<num>:Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
-ip-options <options>:Send specify ip Package for option
--ttl <val>: Set IP time-to-live field
-ttl <val>:Set up IP Time to live field for
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
-Spoof -mac <mac address/prefix/Supplier name>:Deceive you. mac address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
-badsum:Send with pseudo TCP/UDP/SCTP Packets for checksums
OUTPUT:
output:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
-oN/-oX/-oS/-oG <file>:The output scan is normal. XML, s|<rIpt kIddi3，
and Grepable format, respectively, to the given filename.
and Grepable Format, respectively specified file name.
-oA <basename>: Output in the three major formats at once
-oA <basename>:Output three main formats at the same time
-v: Increase verbosity level (use -vv or more for greater effect)
-v:Increase redundancy level(Use-vv Or more for better results)
-d: Increase debugging level (use -dd or more for greater effect)
-d:Increase debug level(Use-dd Or more for better results)
--reason: Display the reason a port is in a particular state
-Reason:Shows why the port is in a specific state
--open: Only show open (or possibly open) ports
-open:Show only open(Or possibly open)port
--packet-trace: Show all packets sent and received
-Packet tracking:Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
-iflist:Print host interface and routing(For debugging)
--log-errors: Log errors/warnings to the normal-format output file
-Log -errors:Mistake/Warning logged to normal format output file
--append-output: Append to rather than clobber specified output files
-Additional output:Append to the specified output file instead of clobber
--resume <filename>: Resume an aborted scan
-resume <filename>:Resume aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
—style sheet<path/URL>: XSL Style sheets, for XML Output to HTML
--webxml: Reference stylesheet from Nmap.
-webxml:from Nmap Reference style sheets.
Org for more portable XML
 Get more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-No style sheet:Prevent XSL Style sheets and XML Output associated
MISC:
MISC:
-6: Enable IPv6 scanning
-6:Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
 Enable operating system detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
-datadir <dirname>:Specify custom Nmap Data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
-Send out-eth/-Send out- IP:Use the original Ethernet frame or IP Packet sending
--privileged: Assume that the user is fully privileged
-privilege:Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-non-privileged:Suppose the user lacks the original socket privilege
-V: Print version number
-V:Print version number
-h: Print this help summary page.
Print this help summary page.
EXAMPLES:
Example:
nmap -v -A scanme.nmap.org
nmap -v -A scanme.nmap. org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
nmap -v -iR 10000 -Pn - p80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
 For more options and examples, see MAN page(http://nmap.org/book/man.html)

Nine: summary

Basic security measures of account number

• System account cleaning, password security control, command history cleaning, automatic logout

User switching and rights raising

• su,sudo

Switch safety control

• BIOS boot setting, disable Ctrl+Alt+Del shortcut key, GRUB menu to set password

Terminal control

john the ripper tool

namp command

This chapter mainly talks about unilateral host security, without managing security from the network level