Mainly from account security control, system guidance and login control, weak password detection, port scanning local control to learn
I. Basic Measures for account security
1.1 system account cleaning
- Set the Shell of the non login user to / sbin/nologin
- Lock account 'usermod -L' not used for a long time
- Delete useless account 'userdel -r'
- Lock the account files passwd and shadow to control that the user (including root) cannot create, delete or modify the account
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow 'lock passwd and shadow + i' [root@localhost ~]# Ls attr / etc / passwd / etc / shadow 'LS check whether the attr is locked, that is, check the status' ----i----------- /etc/passwd 'locking' ----i----------- /etc/shadow 'locking'
+i lock - i unlock
lsattr to see if it is locked
Practical exercises:
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow 'lock account file' [root@localhost ~]# lsattr /etc/passwd /etc/shadow 'view account file status' ----i----------- /etc/passwd ----i----------- /etc/shadow [root@localhost ~]# id zhangsan 'check whether the test account exists' id: zhangsan: no such user 'No feedback' [root@localhost ~]# useradd lisi 'create lisi' useradd: Unable to open /etc/passwd 'Feedback: unable to open account file for modification' [root@localhost ~]# chattr -i /etc/passwd /etc/shadow 'unlock' [root@localhost ~]# useradd lisi 'create lisi again' [root@localhost ~]# passwd lisi //Change the password for user lisi. //New password: //Invalid password: password is less than 8 characters //Reenter new password: passwd: All authentication tokens have been successfully updated. 'Success' [root@localhost ~]# lsattr /etc/passwd /etc/shadow 'now check the status of the account file' ---------------- /etc/passwd ---------------- /etc/shadow [root@localhost ~]# chattr +i /etc/passwd /etc/shadow 'lock again' [root@localhost ~]# userdel lisi 'delete lisi' userdel: Unable to open /etc/passwd 'Feedback cannot be deleted' [root@localhost ~]# chattr -i /etc/passwd /etc/shadow 'unlock account file' [root@localhost ~]# userdel lisi 'delete again' [root@localhost ~]# id lisi 'view lisi' id: lisi: no such user 'Delete successful' [root@localhost ~]# ls /home 'view home directory of ordinary users' gsy lisi 'lisi 's home directory is still there because it was not deleted-r Recursive deletion' [root@localhost ~]# rm -rf /home/lisi 'force delete' [root@localhost ~]# ls /home gsy
1.2 password security control
- Set password validity
- Require the user to change the password at the next login
[root@localhost ~]# vim /etc/login.defs' enter default configuration file ' ...... PASS_MAX_DAYS 99999 'The default is 99999 days' PASS_MAX_DAYS 30 'Can be modified to 30 day validation first'
Modifying the default profile is applicable to user creation after the time point after saving the modified profile. This method does not change the password validity of the created user
[root @ localhost ~] (tail - 3 / etc / shadow 'view the last three lines of the account password file' tcpdump:!!:18192:::::: gsy:$6$4r65p5GBvUZhGlnz$Cs.RsqZdbDij5eQeIxWRi3f4VERzZFsp1TSkgaURI3d0Beafr8TT//iBETmpgEsW//yoHoqfvL9k2BwmGQlx51::0:'99999':7::: '99999 marked in single quotation marks is the validity period of gsy user's password' apache:!!:18213:::::: [root @ localhost ~] (useradd lisi 'create lisi' Creating mailbox file: file already exists [root @ localhost ~] (passwd Lisi 'set password' Change the password for user lisi. New password: Invalid password: password is less than 8 characters Reenter new password: passwd: all authentication tokens have been successfully updated. [root @ localhost ~] (tail - 3 / etc / shadow 'view the last three lines' gsy:$6$4r65p5GBvUZhGlnz$Cs.RsqZdbDij5eQeIxWRi3f4VERzZFsp1TSkgaURI3d0Beafr8TT//iBETmpgEsW//yoHoqfvL9k2BwmGQlx51::0:99999:7::: apache:!!:18213:::::: lisi:$6$zpsumHLN$TvYWGP5LO4IVnjMnrEjUqGZeoDr7mtVFMqQ5DRjwTo1X6j5wHvSc7ZlJATPvlH2bFmp3vmZSpnqJ7ZgTL3MSu1:18214:0:'30':7::: 'the password of the newly created lisi is valid for 30 days'
The password validity setting command for an existing user is
[root@localhost ~]# chage -M time user name
[root@localhost ~]# chage -M 99999 lisi 'Set up lisi The password is valid for 99999' [root@localhost ~]# tail -3 /etc/shadow 'view' gsy:$6$4r65p5GBvUZhGlnz$Cs.RsqZdbDij5eQeIxWRi3f4VERzZFsp1TSkgaURI3d0Beafr8TT//iBETmpgEsW//yoHoqfvL9k2BwmGQlx51::0:99999:7::: apache:!!:18213:::::: lisi:$6$zpsumHLN$TvYWGP5LO4IVnjMnrEjUqGZeoDr7mtVFMqQ5DRjwTo1X6j5wHvSc7ZlJATPvlH2bFmp3vmZSpnqJ7ZgTL3MSu1:18214:0:'99999':7:::
Password validity setting
1. How to set the created user: chage -M 30
2. How to set the user that is not created: use vim editor to go to / etc/longin.defs file
Default file for login.defs login
Restore the validity period in / etc/login.defs to the default date
#It is a comment symbol. If there is an X at the beginning of the line, it will not be executed
# Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 : wq 'Save exit'
[root@localhost ~]# chage --help Usage: chage [options] login Options: -D, - lastday set the last password setting time to "latest date" -E, --expiredate expiration date sets the account expiration time to "expiration date" -h, --help display this help message and launch -I. after - INACTIVE inactive expires for several days, set the password to invalid status -l, --list display account age information -M, - Minimum days set the minimum number of days between two password changes to "minimum days" -M, --maxdays Max days sets the maximum number of days between password changes to Max days -R, -- root chroot? Dir chroot to -W, -- warnings warning days set expiration warning days to warning days
Practical exercises:
[root @ localhost ~] (chage - d 0 Lisi 'means to change the password in time at the next login' [root @ localhost etc] ා Su Lisi 'without - will switch users, will not switch directories' [lisi@localhost etc]$ exit [root @ localhost etc] ා Su - Lisi 'band - not only switch users, but also switch to users' home directory' Last login: on April 14, November 14, 14:00:17, CST 2019pts / 0 [lisi@localhost ~]$ exit [root @ localhost lisi] ා Su GSY 'switch to the same level user to log in to lisi' [gsy@localhost lisi]$ su lisi Password: You need to change your password now (root enforcement) Change the press password for lisi. (current) UNIX password: 'is the current password' New password: Invalid password: the password is too similar to the original one New password: Invalid password: the password is too similar to the original one New password: Invalid password: the password is too similar to the original one su: the maximum number of service retries has been exceeded [gsy@localhost lisi]$
Summary:
Chage-d 0 user name: change the password in time the next time you log in (the modified password does not allow consecutive numbers and letters, which can be zxc196! Type)
1.3 command history restrictions
- Reduce the number of commands recorded
[root@localhost lisi]# vim /etc/profile 'enter / etc/profile' HOSTNAME=`/usr/bin/hostname 2>/dev/null` HISTSIZE=1000 'The default value is 1000, which can be modified to 200 to reduce the history command cache'
- Automatically clear command history on logout
[root@localhost /]# vim ~/.bash_logout 'Get into root Home directory~Log off variable file in to configure' # ~/.bash_logout history -c 'increase' clear 'increase' ~
1.4 automatic cancellation of terminal
- Auto logout after 600s idle
[root@localhost /]# vim ~/.bash_profile 'edit the environment variable of the root directory' # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi 'export TIMOUT=600' 'Single quotation mark is not included, here is the added item, more than 600 s Will automatically log out' # User specific environment and startup programs PATH=$PATH:$HOME/bin export PATH
Summary:
The cancellation time should not be too fast, otherwise it is not easy to modify it back
Two: use su command to switch users
2.1 purpose and usage
- Purpose: Substitute User, switch user
- Format:
[root @ localhost /] (Su - target user Usage: su [options] [-] [USER [parameters]...] Change the valid USER id and group id to the USER's id. Single - treated as - l. If USER is not specified, root is assumed. Options: -M, - P, - preserve environment does not reset environment variables -G, -- group < group > specify primary group -G, -- sup group < group > specify a secondary group -, - L, - login makes the shell a login shell -c, -- command < command > use - c to pass a command to the shell --Session command < command > use - c to pass a command to the shell Without creating a new session -F, - fast passes the - f option (csh or tcsh) to the shell -S, -- shell < shell > Run shell if / etc/shells allows -h, --help display this help and exit -V, - version output version information and exit
2.2 password verification
- root switches to any user without password verification
- When a normal user switches to another user, the password of the target user needs to be verified
[root @ localhost /] (Su - GSY 'with - option ID will use the target user's login shell environment' Last login: on April 14, November 14, 14:16:48, CST 2019pts / 0 [gsy@localhost ~]$ su - root Password: Last login: on April 14, November 14, 14:28:57, CST 2019pts / 0 [root@localhost ~]# whoami root [root@localhost ~]#
2.3 restrict users of su command
- Users who are allowed to use the su command are added to the wheel group, and users in the wheel group can use su to switch user commands
[root@localhost ~]# id gsy uid=1000(gsy) gid=1000(gsy) group=1000(gsy) [root@localhost ~]# cat /etc/group | grep wheel wheel:x:10: [root@localhost ~]# cat /etc/gshadow | grep wheel wheel::: [root@localhost ~]# gpasswd -a gsy wheel //Adding user 'gsy' to the 'wheel' group [root@localhost ~]# id gsy uid=1000(gsy) gid=1000(gsy) group=1000(gsy),10(wheel) [root@localhost ~]# cat /etc/group | grep wheel wheel:x:10:gsy [root@localhost ~]# cat /etc/gshadow | grep wheel wheel:::gsy
- Enable PAM? Wheel authentication module
[root@localhost ~]# vim /etc/pam.d/su %PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid 'hold#Delete to enable ' auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so //Remember wq save exit
pam.su needs to be enabled manually. When it is not enabled, by default, all users can use Su to switch to other users. Even users who are not in the wheel can use su
[root@localhost pam.d]# id gsy 'see which group gsy is in' uid=1000(gsy) gid=1000(gsy) group=1000(gsy),10(wheel) [root@localhost pam.d]# id lisi 'view which group lisi is in' uid=1001(lisi) gid=1001(lisi) group=1001(lisi) [root@localhost pam.d]# id root 'view root, not in wheel' uid=0(root) gid=0(root) group=0(root) [root@localhost pam.d]# su gsy 'switch to normal user directly' [gsy@localhost pam.d]$ su lisi 'Switch users of the same level' //Password: [lisi@localhost pam.d]$ su gsy 'lisi Switch to gsy' //Password: su: Deny authority 'su Deny authority' [lisi@localhost pam.d]$ su root 'lisi switch root' //Password: su: Deny authority [lisi@localhost pam.d]$ exit 'Back to previous user' exit [gsy@localhost pam.d]$ exit 'Back to previous user' exit [root@localhost pam.d]# gpasswd -a lisi wheel 'add lisi to the wheel group' //Adding user 'lisi' to the 'wheel' group [root@localhost pam.d]# su lisi [lisi@localhost pam.d]$ su gsy 'Switch to again gsy' //Password: [gsy@localhost pam.d]$ 'Handover success'
2.4 viewing su operation records
- Security log file; / var/log/secure
[root@localhost /]# cd /var/log [root@localhost log]# ls anaconda dmesg lastlog qemu-ga sssd wtmp yum.log audit dmesg.old libvirt rhsm tallylog Xorg.0.log boot.log firewalld maillog sa tuned Xorg.0.log.old btmp gdm messages samba vmware-vgauthsvc.log.0 Xorg.1.log chrony glusterfs ntpstats 'secure' vmware-vmsvc.log Xorg.1.log.old cron grubby_prune_debug pluto speech-dispatcher vmware-vmusr.log Xorg.2.log cups httpd ppp spooler wpa_supplicant.log Xorg.9.log
III. PAM security certification in Liunx
3.1 safety hazards of Su command
- Security risks of su command
- By default, any user is allowed to use su command, so malicious users have the opportunity to repeatedly try the login password of other users (such as root), which brings security risks
- In order to strengthen the use control of su command, only a few users can use su command to switch with the help of PAM authentication module
- PAM (Pluggable Authentication Modules) is an efficient, flexible and convenient user level authentication mode, which is also widely used in Linux servers
3.2 PAM certification principle
- PAM authentication generally follows the order: Service > PAM > PAM *. So
- PAM authentication first determines which service, then loads the corresponding PAM configuration file (located under /etc/pam.d), and finally calls the authentication file (located under /lib/security) for security authentication.
- When the user accesses the server, a service program of the server sends the user's request to the PAM module for authentication
- Different applications have different PAM modules
. so is the module file
3.3 composition of PAM certification
- To check whether a program supports PAM authentication, you can use the ls command to check / etc/pam.d, and then the pipeline symbol retrieves the program you want to query; for example, to check whether su supports PAM module authentication
- ls /etc/pam.d | grep su
- Check the PAM configuration file of Su: cat /etc/pam.d/su
- Each line is an independent authentication process
- Each row can be divided into three fields
- Authentication type
- control type
- PAM module and its parameters
3.4 PAM safety certification process
- The control type can also ride Control Flags, which is used for the return result of PAM verification type
- 1. Continue if the required verification fails, but return Fail
- 2. If the request verification fails, the whole verification process will be ended immediately and fail (the most important step) will be returned
- 3. If the verification is successful, it will return immediately and will not continue. Otherwise, ignore the result and continue
- 4.optional is not used for authentication, only information is displayed (usually user session type)
IV. use sudo mechanism to enhance authority
4.1 disadvantages of Su command
By default, any user is allowed to use su command, so malicious users have the opportunity to repeatedly try the login password of other users (such as root), which brings security risks
4.2 use and usage of sudo command
- Purpose: to execute authorized commands as other users (such as root)
- Usage: sudo authorization command
4.3 configure sudo authorization
- visudo command or vim /etc/sudoers
- Record format: user host name list = command program list
[root@localhost log]# visudo ...... //User host name list = command program list %wheel ALL = NOPASSWD:ALL jerry localhost = /sbin/ifconfig syrianer localhost = /sbin/*,!/sbin/ifconfig,!/sbin/route 'General symbols can be used*And reverse sign!' Cmnd_Alias PKGTOOLS = /bin/rpm,/usr/bin/yum mike localhost = PKGTOOLS
Remarks:
You can use the wildcard * and reverse symbols!
The name list of users and hosts is separated by tabs, and there are spaces around the = sign. If there are two or more commands in the command program list, the commands are separated by commas,
The command program should write the absolute path, which should be used for checking
Host name view with hostname
Percentage sign in front of user field represents group
localhost is the local host name
! / sbin/ifconfig except / sbin/ifconfig
Cmnd ﹣ alias command alias PKGTOOLS (Chinese meaning packaging pool) alias, which is equivalent to arranging related commands into a group, which can be used for the host column table = alias
Similar aliases include user alias, host alias
[root @ localhost gsy] ා id gsy 'view the id of gsy' uid=1000(gsy) gid=1000(gsy) group = 1000(gsy) [root @ localhost GSY] ා id lisi 'view the id of lisi' id: lisi: no such user 'no lisi' [root @ localhost GSY] ා useradd lisi 'create test user lisi' [root@localhost gsy]# passwd lisi Change the password for user lisi. New password: Invalid password: password failed dictionary check - it does not contain enough different characters Reenter new password: passwd: all authentication tokens have been successfully updated. [root @ localhost GSY] ා id lisi 'view the id of lisi' uid=1001(lisi) gid=1001(lisi) group = 1001(lisi) [root @ localhost GSY] ා ifconfig 'to modify the ip address as an example, first check the ip address' ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.139.153 netmask 255.255.255.0 broadcast 192.168.139.255 inet6 fe80::413b:c9ad:e0e:1afc prefixlen 64 scopeid 0x20<link> ether 00:0c:29:d6:c0:8a txqueuelen 1000 (Ethernet) RX packets 741 bytes 574698 (561.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 332 bytes 31777 (31.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost gsy]# su lisi [Lisi @ localhost GSY] $ifconfig ens33 10.10.10.10 'enter the command to modify ip address normally first' SIOCSIFADDR: operation not allowed SIOCSIFFLAGS: operation not allowed 'feedback cannot be performed, no permission' [Lisi @ localhost GSY] $sudo ifconfig ens33 10.10.10.10 'sudo rights enforcement' We trust that you have learned the daily precautions from your system administrator. To sum up, there are three points: #1) respect the privacy of others. #2) consider (consequences and risks) before entering. #3) the greater the power, the greater the responsibility. Password for [sudo] lisi: lisi is not in the sudoers file. It will be reported 'feedback said that lisi no longer has sudoers file, and will check this file later' [lisi@localhost gsy]$ cd / [Lisi @ localhost /] $sudo - L 'view sudo permissions' Password for [sudo] lisi: Sorry, user lisi cannot run sudo on localhost 'show lsii can't use sudo' [lisi@localhost /]$ su root Password: [root @ localhost /] (gpasswd - a lisi wheel 'add lisi to the wheel group' Adding user 'lisi' to the 'wheel' group [root@localhost /]# id lisi uid=1001(lisi) gid=1001(lisi) group = 1001(lisi),10(wheel) [root@localhost /]# su lisi [lisi@localhost /]$ ifconfig ens33 10.10.10.10 SIOCSIFADDR: operation not allowed SIOCSIFFLAGS: operation not allowed [lisi@localhost /]$ sudo ifconfig ens33 10.10.10.10 We trust that you have learned the daily precautions from your system administrator. To sum up, there are three points: #1) respect the privacy of others. #2) consider (consequences and risks) before entering. #3) the greater the power, the greater the responsibility. Password for [sudo] lisi: SIOCSIFADDR: file already exists [lisi@localhost /]$ ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.10.10.10 netmask 255.0.0.0 broadcast 10.255.255.255 inet6 fe80::413b:c9ad:e0e:1afc prefixlen 64 scopeid 0x20<link> ether 00:0c:29:d6:c0:8a txqueuelen 1000 (Ethernet) RX packets 2581 bytes 697151 (680.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 525 bytes 50661 (49.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [lisi@localhost /]$ sudo -l Password for [sudo] lisi: Match default entry for% s on% s: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User lisi can run the following command on localhost: (ALL) ALL
At this time, query the sudoers file, / etc/sudoers. If you use lisi to go to vim /etc/sudoers, you will be prompted that you do not have sufficient permissions. You need su to root and then go to vim
[root@localhost /]# grep -v "^#" /etc/sudoers >> 1.txt 'The order is to/etc/sudoers Valid command input to 1.txt in' [root@localhost /]# cat 1.txt Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL %wheel ALL=(ALL) ALL 'stay wheel Users in the group can perform all operations on all hosts'
[root@localhost /]# VIM / etc / sudoers' VIM enters configuration file ' ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL 'This order, above is the explanation' ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
You can manually configure an entry in / etc/sudoers
[root@localhost /]# which ifconfig 'find the absolute path of the command first' /usr/sbin/ifconfig [root@localhost /]# Hostname 'view hostname' localhost.localdomain [root@localhost /]# vim /etc/sudoers ## Allow root to run any commands anywhere root ALL=(ALL) ALL lisi localhost = /usr/sbin/ifconfig 'New to this line' ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL : wq! Preservation [root@localhost /]# gpasswd -d lisi wheel 'Remove lisi from wheel' //Removing user 'lisi' from the 'wheel' group [root@localhost /]# id lisi uid=1001(lisi) gid=1001(lisi) group=1001(lisi) [root@localhost /]# su lisi 'switch lisi' [lisi@localhost /]$ ifconfig ens33 13.13.13.13i 'Direct use command' SIOCSIFADDR: Operation not allowed SIOCSIFFLAGS: Operation not allowed [lisi@localhost /]$ sudo ifconfig ens33 13.13.13.13 'Add sudo' [sudo] lisi Password: [lisi@localhost /]$ ifconfig 'See ens33 Configuration, found modified' ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 13.13.13.13 netmask 255.0.0.0 broadcast 13.255.255.255 inet6 fe80::413b:c9ad:e0e:1afc prefixlen 64 scopeid 0x20<link> ether 00:0c:29:d6:c0:8a txqueuelen 1000 (Ethernet) RX packets 4927 bytes 874213 (853.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 812 bytes 95433 (93.1 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [lisi@localhost /]$ sudo -l 'Look again sudo Authority' //Match default entry for% s on% s: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin //User lisi can run the following command on localhost: (root) /usr/sbin/ifconfig 'Available permissions' [lisi@localhost /]$
4.4 viewing sudo operation records
- Default logfile configuration needs to be enabled
- Default log file / var/log/sudo
[root@localhost ~]# visudo 'or vim /etc/sudoers can also' ...... ## Allow root to run any commands anywhere root ALL=(ALL) ALL lisi localhost = /usr/sbin/ifconfig Defaults logfile = "/var/log/sudo" 'Input settings' ## Allows members of the 'sys' group to run networking, software,
sduo operations performed after the default configuration file / var/log/sudo is enabled will be recorded in this file
[root@localhost ~]# cat /var/log/sudo Nov 14 19:24:15 : lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ; COMMAND=/sbin/ifconfig ens33 14.14.14.14 Nov 14 19:25:00 : lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ; COMMAND=list Nov 14 19:28:28 : lisi : TTY=pts/1 ; PWD=/home/lisi ; USER=root ; COMMAND=/sbin/ifconfig ens33 15.15.15.15
su -l is also an instruction to switch to root
V. switch safety control
5.1 adjusting BIOS boot settings
- Set the first boot device as the hard disk of the current system
- Do not boot the system from other devices (CD, U SB, network)
- Set the security level to isetup and set the administrator password
Note: it is forbidden to boot the system from other devices. I feel that if you forget the root password, you may not be able to modify it from the CD-ROM drive, so please operate carefully
5.2 GRUB limits
- Using Grub2 mkpasswd pbkdf2 to generate the key
- Modify / etc / grub.d/00'header file to add password record
- Generate a new grub.cfg configuration file
pbkdf2 is an algorithm
Use the arrow keys to change the selection. Press "e" to edit the selected item, or "c" as the command prompt. The selected entry will start automatically in 4s
Press e's interface
Press the interface of c
You can enter editing directly, and you can set password for it to ensure security.
To set grub password:
[root@localhost ~]# cd /boot/grub2 'switch to kernel / boot/grub2 directory' [root@localhost grub2]# ls' view ' device.map fonts grub.cfg grubenv i386-pc locale [root@localhost grub2]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak 'make a backup of the configuration file before you do the operation, so as to prevent the error from being unrecoverable' [root@localhost grub2]# ls' view ' device.map fonts grub.cfg 'grub.cfg.bak' grubenv i386-pc locale 'Backup profile succeeded' [root@localhost grub2]# cd /etc/grub.d / 'switch to the configuration / etc/grub.d directory' [root@localhost grub.d]# ls' view ' 00_header 01_users 20_linux_xen 30_os-prober 41_custom 00_tuned 10_linux 20_ppc_terminfo 40_custom README [root@localhost grub.d]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak 'hold grub Head file backup for' [root@localhost grub.d]# ls 00_header 00_tuned 10_linux 20_ppc_terminfo 40_custom README 00_header.bak 01_users 20_linux_xen 30_os-prober 41_custom [root@localhost grub.d]# Grub2 mkpasswd pbkdf2 'use mkpasswd pbkdf2 algorithm to encrypt password' //Enter password: 'enter password to set' Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.0A69A269813E2E719399E15405F9006F0370B5812D9912FCC8E3F10E565AA70202B19594A592F399B6F96240E6E6572D6F9CEC1E0F032962A315D97E61E90.7291C86820FB883DC5D1339D991292DED755221AEAA381AF70232A7223CCA6AAE4039D3DDEA9E9400613894B6BA29D81FD1B72386285B7A534CFDA0CAD881AC7 'grub.pbkdf2.sha512 Next is the password, copy and paste' [root@localhost grub.d]# vim /etc/grub.d/00_header if [ "x${GRUB_BADRAM}" != "x" ] ; then echo "badram ${GRUB_BADRAM}" fi cat << EOF 'Edit from here' set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.0A69A269813E2E719399E15405F9006F0370B5812D9912FCC8E3F10E565AA70202B19594A592F399B6F96240E6E6572D6F9CEC1E0F032962A315D97E61E90.7291C86820FB883DC5D1339D991292DED755221AEAA381AF70232A7223CCA6AAE4039D3DDEA9E9400613894B6BA29D81FD1B72386285B7A534CFDA0CAD881AC7 EOF : wq [root@localhost grub.d]# grub2-mkconfig -o /boot/grub2/grub.cfg 're output configuration file' Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-693.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-693.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-33c124456fa34c50a98483245dfea58d Found initrd image: /boot/initramfs-0-rescue-33c124456fa34c50a98483245dfea58d.img done [root@localhost grub.d]# [root@localhost grub.d]# init 6 'restart'
Press e or c
The wrong user or password will exit, and the correct one will enter safely
Vi. terminal login security control
6.1 restrict root to log in only at the secure terminal
- Security terminal configuration / etc/securetty
- If you don't want root to log in any more, comment out the one
[root@localhost etc]# vim /etc/securetty #console 'Default is not#, you can log in. If you don't want users to log in from consle, you can comment it out vc/1 vc/2 vc/3 : wq! Modify to the desired result and save to exit
6.2 prohibit ordinary users from logging in
- Create / etc/nologin file (used for maintenance. Setting this file can facilitate and effectively prevent variables from appearing)
- Delete nologin file or restore to normal after restart
[root@localhost ~]# touch /etc/nologin 'Disable normal user login' [root@localhost etc]# find -name "nologin" ./nologin [root@localhost etc]# rm -rf /etc/nologin 'delete the / etc/nologin file to restore normal'
VII: system weak password detection
7.1 John the Ripper, JR for short
- A cryptanalysis tool that supports dictionary style brute force cracking
- Through password analysis of shadow file, password strength can be detected
- Unable to download via yum, where you want to comment + 1
[root@localhost etc]# mkdir /aaa [root@localhost etc]# mount.cifs //192.168.254.10/linuxs /aaa Password for root@//192.168.254.10/linuxs: [root@localhost etc]# cd /aaa [root@localhost aaa]# ls apr-1.4.6.tar.gz apr-util-1.4.1.tar.gz httpd-2.4.2.tar.gz john-1.8.0.tar.gz [root@localhost aaa]# tar xzvf john-1.8.0.tar.gz -C /mnt john-1.8.0/README john-1.8.0/doc/CHANGES john-1.8.0/doc/CONFIG ...... [root@localhost aaa]# ls /mnt john-1.8.0 [root@localhost aaa]# cd /mnt/john-1.8.0/ [root@localhost john-1.8.0]# ls doc README run src 'readme an instruction manual, doc Documents are useless, src Source file directory, which needs to be configured and installed' [root@localhost john-1.8.0]# cd run [root@localhost run]# ls ascii.chr john.conf mailer password.lst digits.chr lm_ascii.chr makechr relbench [root@localhost run]# ls /mnt/john-1.8.0/src AFS_fmt.c common.h external.c LM_fmt.c misc.h rpp.h tty.h alpha.h compiler.c external.h loader.c nonstd.c rules.c unafs.c alpha.S compiler.h formats.c loader.h options.c rules.h unique.c batch.c config.c formats.h logger.c options.h sboxes.c unshadow.c batch.h config.h getopt.c logger.h os.h sboxes-s.c vax.h bench.c cracker.c getopt.h Makefile params.c signals.c wordlist.c bench.h cracker.h ia64.h Makefile.dep params.h signals.h wordlist.h best.c crc32.c idle.c math.c pa-risc.h single.c x86-64.h best.sh crc32.h idle.h math.h path.c single.h x86-64.S BF_fmt.c DES_bs_b.c inc.c MD5_fmt.c path.h sparc32.h x86-any.h BF_std.c DES_bs.c inc.h MD5_std.c ppc32alt.h sparc64.h x86-mmx.h BF_std.h DES_bs.h john.asm MD5_std.h ppc32.h status.c x86-mmx.S BSDI_fmt.c DES_fmt.c john.c memory.c ppc64alt.h status.h x86.S c3_fmt.c DES_std.c john.com memory.h ppc64.h symlink.c x86-sse.h charset.c DES_std.h john.h mips32.h recovery.c times.h x86-sse.S charset.h detect.c list.c mips64.h recovery.h trip_fmt.c common.c dummy.c list.h misc.c rpp.c tty.c
Installation of this toolkit requires manual compilation and installation
[root@localhost run]# yum install gcc gcc-c++ -y 'install environment package' //If yum.pid is locked, kill -9 pid first, and then go to Yum for installation //Installed as a dependency: cpp.x86_64 0:4.8.5-39.el7 glibc-devel.x86_64 0:2.17-292.el7 glibc-headers.x86_64 0:2.17-292.el7 kernel-headers.x86_64 0:3.10.0-1062.4.3.el7 libmpc.x86_64 0:1.0.1-3.el7 libstdc++-devel.x86_64 0:4.8.5-39.el7 //Upgraded as a dependency: glibc.x86_64 0:2.17-292.el7 glibc-common.x86_64 0:2.17-292.el7 libgcc.x86_64 0:4.8.5-39.el7 libgomp.x86_64 0:4.8.5-39.el7 libstdc++.x86_64 0:4.8.5-39.el7 //Complete! [root@localhost run]# ls /mnt/john-1.8.0/src AFS_fmt.c common.h external.c LM_fmt.c misc.h rpp.h tty.h alpha.h compiler.c external.h loader.c nonstd.c rules.c unafs.c alpha.S compiler.h formats.c loader.h options.c rules.h unique.c batch.c config.c formats.h logger.c options.h sboxes.c unshadow.c batch.h config.h getopt.c logger.h os.h sboxes-s.c vax.h bench.c cracker.c getopt.h Makefile params.c signals.c wordlist.c bench.h cracker.h ia64.h Makefile.dep params.h signals.h wordlist.h best.c crc32.c idle.c math.c pa-risc.h single.c x86-64.h best.sh crc32.h idle.h math.h path.c single.h x86-64.S BF_fmt.c DES_bs_b.c inc.c MD5_fmt.c path.h sparc32.h x86-any.h BF_std.c DES_bs.c inc.h MD5_std.c ppc32alt.h sparc64.h x86-mmx.h BF_std.h DES_bs.h john.asm MD5_std.h ppc32.h status.c x86-mmx.S BSDI_fmt.c DES_fmt.c john.c memory.c ppc64alt.h status.h x86.S c3_fmt.c DES_std.c john.com memory.h ppc64.h symlink.c x86-sse.h charset.c DES_std.h john.h mips32.h recovery.c times.h x86-sse.S charset.h detect.c list.c mips64.h recovery.h trip_fmt.c common.c dummy.c list.h misc.c rpp.c tty.c [root@localhost run]# cd ../src [root@localhost src]# make linux-x86-64 ln -sf x86-64.h arch.h make ../run/john ../run/unshadow ../run/unafs ../run/unique \ JOHN_OBJS="DES_fmt.o DES_std.o DES_bs.o DES_bs_b.o BSDI_fmt.o MD5_fmt.o MD5_std.o BF_fmt.o BF_std.o AFS_fmt.o LM_fmt.o trip_fmt.o dummy.o batch.o bench.o charset.o common.o compiler.o config.o cracker.o crc32.o external.o formats.o getopt.o idle.o inc.o john.o list.o loader.o logger.o math.o memory.o misc.o options.o params.o path.o recovery.o rpp.o rules.o signals.o single.o status.o tty.o wordlist.o unshadow.o unafs.o unique.o c3_fmt.o x86-64.o" \ CFLAGS="-c -Wall -Wdeclaration-after-statement -O2 -fomit-frame-pointer -DHAVE_CRYPT" \ LDFLAGS="-s -lcrypt" make[1]: Enter directory“/mnt/john-1.8.0/src" ...... rm -f ../run/unshadow ln -s john ../run/unshadow rm -f ../run/unafs ln -s john ../run/unafs rm -f ../run/unique ln -s john ../run/unique make[1]: Leave directory“/mnt/john-1.8.0/src" [root@localhost src]# ls doc README run src [root@localhost john-1.8.0]# cd run [root@localhost run]# ls ascii.chr john lm_ascii.chr makechr relbench unique digits.chr john.conf mailer 'password.lst' unafs unshadow [root@localhost run]# . / john /etc/passwd /etc/shadow 'run john to view the account file' Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 'It will stop for a while, and cannot operate at this time, because the password is matching' 123123 (root) 'It's a match' 123123 (lisi) 123123 (gsy) 3g 0:00:00:25 100% 2/3 0.1184g/s 364.1p/s 402.0c/s 402.0C/s leslie..boston Use the "--show" option to display all of the cracked passwords reliably Session completed [root@localhost run]#
password.list is a password dictionary. john's working principle is to match the password in the account file with the password dictionary, so as to verify whether the security level of the password is high
7.2 installation of JR tools
- Installation method: make clean system type
- The main program file is john
7.3 detect weak password account
- Get shadow file of Linux/Unix server
- Execute john program with shadow file as parameter
7.4 brute force cracking of password file
- Prepare the password dictionary file, which defaults to password.lst
- Execute john program, combine -- wordlist = dictionary file
VIII: network port scanning
8.1 NMAP
- A powerful network scanning and security detection tool
- Official website: http://nmap.org/
- Install the nmap-6.40-7.el7.x86_.rpm package from the CentOS 7.3 CD
- You can download it using yum
8.2 scan syntax for nmap
nmap [scan type] [options] < scan target... >
8.3 common scan types
-syn scan of SS TCP
-sT view the TCP port of the target host for example: nmap -sT target IP address
-Scan of fin in SF TCP
-sU view the UDP port of the target host for example: nmap -sU target IP address
-SP Ping scan
--help translation
[root@localhost run]# nmap --help Usage: nmap [Scan Type(s)] [Options] {target specification} Usage method:nmap[Scan type][option]{Target specification} TARGET SPECIFICATION: Target specification: Can pass hostnames, IP addresses, networks, etc. Host name IP Address, network, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; for example:scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iL <inputfilename>:From host/Input of network list -iR <num hosts>: Choose random targets -iR <num Host>:Random target selection --exclude <host1[,host2][,host3],... -Exclude< host1 [, host2] [host3],... >: Exclude hosts/networks >:Exclude host/network --excludefile <exclude_file>: Exclude list from file -exclude_file>:Exclude list from file HOST DISCOVERY: Owner found: -sL: List Scan - simply list targets to scan List scanning-Simply list the targets to scan -sn: Ping Scan - disable port scan Ping scanning-Disable port scanning -Pn: Treat all hosts as online -- skip host discovery -Pn:Treat all hosts Online-Skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP Discover the given port -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PE/PP/PM: ICMP echo,Timestamp and netmask Request discovery probe -PO[protocol list]: IP Protocol Ping -PO[Protocol list]:IP Agreement Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] -n/-R:Never do DNS analysis/Always parsing[default:Sometimes] --dns-servers <serv1[,serv2],... -dns The server<Namely serv1 [,serv2]... >: Specify custom DNS servers >:Specify custom DNS The server --system-dns: Use OS's DNS resolver -system DNS:Use OS Of DNS Parser --traceroute: Trace hop path to each host -traceroute:Trace to each host's hop Route SCAN TECHNIQUES: scanning technique: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scanning -sU: UDP Scan - su: UDP scanning -sN/sF/sX: TCP Null, FIN, and Xmas scans -sN/sF/sX: TCP Null, FIN,And Christmas scan --scanflags <flags>: Customize TCP scan flags -scanflags <flags>:custom TCP Scanning mark -sI <zombie host[:probeport]>: Idle scan -sI <zombie host[:probeport]>:idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans SCTP INIT/COOKIE-ECHO scanning -sO: IP protocol scan IP Protocol scan -b <FTP relay host>: FTP bounce scan -b <FTP relay host>:FTP Rebound scan PORT SPECIFICATION AND SCAN ORDER: Port specifications and scan order: -p <port ranges>: Only scan specified ports -p <Port range>:Scan only specified ports Ex: -p22; example:Twenty-second place; -p1-65535; p1 - 65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 T - p U: 53111137: 21 - 25 day,80139 year,8080 year,history:9 -F: Fast mode - Scan fewer ports than the default scan Fast mode-Less scanned ports than Default scan -r: Scan ports consecutively - don't randomize -r:Continuous scan port-Don't randomize --top-ports <number>: Scan <number> most common ports -Top port<number>:scanning<number>Most common ports --port-ratio <ratio>: Scan ports more common than <ratio> -Port ratio<ratio>:Scan port ratio<ratio>More common SERVICE/VERSION DETECTION: service/Version checking: -sV: Probe open ports to determine service/version info Probe open ports to determine service/Version information --version-intensity <level>: Set from 0 (light) to 9 (try all probes) —Version strength<level>:Set from 0(light)To 9(Try all probes) --version-light: Limit to most likely probes (intensity 2) -Version light:Limit the most likely detection(Strength 2) --version-all: Try every single probe (intensity 9) -version-all:Try each probe(Strength 9) --version-trace: Show detailed version scan activity (for debugging) -Version tracking:Show detailed version scan activity(For debugging) SCRIPT SCAN: Script scanning: -sC: equivalent to --script=default -sC:Equivalent to—— script=Default value --script=<Lua scripts>: <Lua scripts> is a comma separated list of -script=<Lua scripts>: <Lua scripts>Is a comma separated list directories, script-files or script-categories Directory, script file, or script category --script-args=<n1=v1,[n2=v2,... -script-args = < n1 = v1, n2 = v2,... ]>: provide arguments to scripts ]>:Provide parameters for the script --script-args-file=filename: provide NSE script args in a file -script-args-file=filename:Available in file NSE Script parameters --script-trace: Show all data sent and received -Script tracking:Show all data sent and received --script-updatedb: Update the script database. -script-updatedb:Update script database. --script-help=<Lua scripts>: Show help about scripts. -script-help=<Lua scripts>:Displays help on scripts. <Lua scripts> is a comma separted list of script-files or <Lua scripts>Is a comma separated list of script files or script-categories. script-categories. OS DETECTION: Operating system detection: -O: Enable OS detection Enable operating system detection --osscan-limit: Limit OS detection to promising targets -osscan-limit:take OS Detection is limited to promising targets --osscan-guess: Guess OS more aggressively -osscan-guess:To speculate more boldly TIMING AND PERFORMANCE: Time and performance: Options which take <time> are in seconds, or append 'ms' (milliseconds), Use<time>Options in seconds, or additional'ms'(Millisecond), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). 's'(second),'m'(Minute),or'h'(hour)Value(Such as 30 m). -T<0-5>: Set timing template (higher is faster) -T<0-5>:Set timing template(The faster the higher, the faster.) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes -min-hostgroup/max-hostgroup <size>:Parallel host scan group size --min-parallelism/max-parallelism <numprobes>: Probe parallelization -Minimum parallelism/Maximum parallelism<numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies -min-rtt-timeout / max-rtt-timeout initial-rtt-timeout <time>:Appoint probe round trip time. Detect round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. —max-retries <attempt>:The upper limit of port scan probe retransmission. --host-timeout <time>: Give up on target after this long -Host timeout<time>:After such a long time, give up the goal --scan-delay/--max-scan-delay <time>: Adjust delay between probes —scan-delay/—max-scan-delay <time>:Adjust the delay between detectors --min-rate <number>: Send packets no slower than <number> per second —Minimum rate<number>:Send packets no less than per second<number> --max-rate <number>: Send packets no faster than <number> per second —Maximum rate<number>:Send packets no faster than per second<number> FIREWALL/IDS EVASION AND SPOOFING: firewall/IDS Evasion and deception: -f; - f; --mtu <val>: fragment packets (optionally w/given MTU) -mtu <val>:Fragment pack(Optional w/given mtu) -D <decoy1,decoy2[,ME],... - d < decoy1, decoy2[I],... >: Cloak a scan with decoys Cover scan with decoys -S <IP_Address>: Spoof source address -S <IP_Address>:Spoof source address -e <iface>: Use specified interface -e <iface>:Use the specified interface -g/--source-port <portnum>: Use given port number -g/-Source port<portnum>:Use given port number --data-length <num>: Append random data to sent packets -Data length<num>:Append random data to sent packets --ip-options <options>: Send packets with specified ip options -ip-options <options>:Send specify ip Package for option --ttl <val>: Set IP time-to-live field -ttl <val>:Set up IP Time to live field for --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address -Spoof -mac <mac address/prefix/Supplier name>:Deceive you. mac address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum -badsum:Send with pseudo TCP/UDP/SCTP Packets for checksums OUTPUT: output: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, -oN/-oX/-oS/-oG <file>:The output scan is normal. XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. and Grepable Format, respectively specified file name. -oA <basename>: Output in the three major formats at once -oA <basename>:Output three main formats at the same time -v: Increase verbosity level (use -vv or more for greater effect) -v:Increase redundancy level(Use-vv Or more for better results) -d: Increase debugging level (use -dd or more for greater effect) -d:Increase debug level(Use-dd Or more for better results) --reason: Display the reason a port is in a particular state -Reason:Shows why the port is in a specific state --open: Only show open (or possibly open) ports -open:Show only open(Or possibly open)port --packet-trace: Show all packets sent and received -Packet tracking:Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) -iflist:Print host interface and routing(For debugging) --log-errors: Log errors/warnings to the normal-format output file -Log -errors:Mistake/Warning logged to normal format output file --append-output: Append to rather than clobber specified output files -Additional output:Append to the specified output file instead of clobber --resume <filename>: Resume an aborted scan -resume <filename>:Resume aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML —style sheet<path/URL>: XSL Style sheets, for XML Output to HTML --webxml: Reference stylesheet from Nmap. -webxml:from Nmap Reference style sheets. Org for more portable XML Get more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output -No style sheet:Prevent XSL Style sheets and XML Output associated MISC: MISC: -6: Enable IPv6 scanning -6:Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute Enable operating system detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location -datadir <dirname>:Specify custom Nmap Data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets -Send out-eth/-Send out- IP:Use the original Ethernet frame or IP Packet sending --privileged: Assume that the user is fully privileged -privilege:Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -non-privileged:Suppose the user lacks the original socket privilege -V: Print version number -V:Print version number -h: Print this help summary page. Print this help summary page. EXAMPLES: Example: nmap -v -A scanme.nmap.org nmap -v -A scanme.nmap. org nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80 nmap -v -iR 10000 -Pn - p80 SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES For more options and examples, see MAN page(http://nmap.org/book/man.html)
Nine: summary
Basic security measures of account number
- System account cleaning, password security control, command history cleaning, automatic logout
User switching and rights raising
- su,sudo
Switch safety control
- BIOS boot setting, disable Ctrl+Alt+Del shortcut key, GRUB menu to set password
Terminal control
john the ripper tool
namp command
This chapter mainly talks about unilateral host security, without managing security from the network level