Hanyoyi 4 don Kashe Tushen Account a Linux


Tushen asusun shine babban asusu akan Linux da sauran tsarin aiki kamar Unix. Wannan asusun yana da damar yin amfani da duk umarni da fayiloli akan tsarin tare da cikakken karantawa, rubutawa da aiwatar da izini. Ana amfani da shi don yin kowane irin aiki akan tsarin; don shigar/cire/haɓaka fakitin software, da ƙari mai yawa.

Saboda tushen mai amfani yana da cikakken iko, duk wani aiki da ya/ta yayi yana da mahimmanci akan tsarin. A wannan batun, duk wani kurakurai ta tushen mai amfani na iya samun babban tasiri akan aikin yau da kullun na tsarin. Bugu da kari, ana iya cin zarafin wannan asusu ta hanyar amfani da shi ba daidai ba ko kuma ta hanyar da ba ta dace ba ko dai bisa kuskure, da mugunta, ko ta hanyar jahiltar manufofi.

Don haka, yana da kyau a kashe tushen tushen a cikin uwar garken Linux ɗinku, maimakon haka, ƙirƙirar asusun gudanarwa wanda yakamata a saita don samun gata mai amfani ta amfani da umarnin sudo, don aiwatar da ayyuka masu mahimmanci akan sabar.

A cikin wannan labarin, za mu bayyana hanyoyi huɗu don kashe tushen asusun mai amfani a cikin Linux.

Hankali: Kafin ka toshe hanyar shiga tushen asusun, tabbatar cewa kun ƙirƙiri asusun gudanarwa, mai ikon yin amfani da umarnin useradd kuma ba wannan asusun mai amfani da kalmar sirri mai ƙarfi. Tutar -m tana nufin ƙirƙirar kundin adireshin gida na mai amfani kuma -c yana ba da damar tantance sharhi:

# useradd -m -c "Admin User" admin
# passwd admin

Bayan haka, ƙara wannan mai amfani zuwa rukunin masu gudanar da tsarin da suka dace ta amfani da umarnin mai amfani, inda canjin -a yana nufin append asusun mai amfani kuma -G yana ƙayyadadden rukuni don ƙara mai amfani. a (dabaran ko sudo dangane da rarraba Linux):

# usermod -aG wheel admin    #CentOS/RHEL
# usermod -aG sudo admin     #Debian/Ubuntu 

Da zarar ka ƙirƙiri mai amfani tare da gata na gudanarwa, canza zuwa wannan asusun don toshe hanyar shiga.

# su admin

1. Canza tushen Shell mai amfani

Hanya mafi sauƙi don kashe tushen shigar mai amfani shine canza harsashi daga /bin/bash ko /bin/bash (ko duk wani harsashi da ke ba da izinin shiga mai amfani) zuwa >/sbin/nologin, a cikin /etc/passwd fayil, wanda zaka iya buɗewa don gyarawa ta amfani da kowane editocin layin umarni da kuka fi so kamar yadda aka nuna.

  
$ sudo vim /etc/passwd

Canza layin:

root:x:0:0:root:/root:/bin/bash
to
root:x:0:0:root:/root:/sbin/nologin

Ajiye fayil ɗin kuma rufe shi.

Daga yanzu, idan tushen mai amfani ya shiga, zai/ta za su sami saƙon \A halin yanzu babu wannan asusu. Wannan shine tsohuwar saƙon, amma, zaku iya canza shi kuma saita saƙon al'ada a cikin fayil ɗin /etc/nologin.txt.

Wannan hanyar tana da tasiri kawai tare da shirye-shiryen da ke buƙatar harsashi don shiga mai amfani, in ba haka ba, sudo, ftp da abokan cinikin imel na iya samun damar tushen asusun.

2. Kashe tushen Shiga ta Na'urar Console (TTY)

Hanya ta biyu tana amfani da tsarin PAM mai suna pam_securetty, wanda ke ba da izinin samun tushen tushen kawai idan mai amfani yana shiga kan “amintaccen” TTY, kamar yadda lissafin ke /etc/securetty ya bayyana.

Fayil ɗin da ke sama yana ba ku damar tantance na'urorin TTY masu amfani da tushen damar shiga ciki, cire wannan fayil ɗin yana hana tushen shiga akan kowace na'ura da ke haɗe da tsarin kwamfutar.

Don ƙirƙirar fayil mara komai, gudu.

$ sudo mv /etc/securetty /etc/securetty.orig
$ sudo touch /etc/securetty
$ sudo chmod 600 /etc/securetty

Wannan hanyar tana da wasu iyakoki, tana shafar shirye-shirye kawai kamar shiga, masu sarrafa nuni (watau gdm, kdm da xdm) da sauran ayyukan cibiyar sadarwa waɗanda ke ƙaddamar da TTY. Shirye-shirye kamar su, sudo, ssh, da sauran kayan aikin openssh masu alaƙa zasu sami damar shiga tushen asusun.

3. Kashe SSH Tushen Login

Hanyar da ta fi dacewa don samun damar sabobin nesa ko VPSs shine ta hanyar SSH kuma don toshe tushen mai amfani da shiga a ƙarƙashinsa, kuna buƙatar shirya fayil ɗin /etc/ssh/sshd_config.

$ sudo vim /etc/ssh/sshd_config

Sannan rashin jin daɗi (idan an yi sharhi) umarnin PermitRootLogin kuma saita ƙimarta zuwa no kamar yadda aka nuna a hoton.

Da zarar kun gama, ajiye kuma rufe fayil ɗin. Sannan sake kunna sabis ɗin sshd don amfani da canjin kwanan nan a cikin saiti.

$ sudo systemctl restart sshd 
OR
$ sudo service sshd restart 

Kamar yadda kuka riga kuka sani, wannan hanyar tana shafar saitin kayan aikin openssh kawai, shirye-shirye irin su ssh, scp, sftp za a toshe su daga shiga tushen asusun.

4. Ƙuntata tushen Acess zuwa Sabis ta hanyar PAM

Modulolin Tabbatar da Pluggable (PAM a takaice) tsari ne na tsakiya, wanda ake iya toshewa, na zamani, da sassauƙa na tabbatarwa akan tsarin Linux. PAM, ta hanyar /lib/security/pam_listfile.so module, yana ba da damar sassauci sosai wajen iyakance gata na takamaiman asusu.

Za a iya amfani da tsarin da ke sama don yin la'akari da jerin masu amfani waɗanda ba a ba su izinin shiga ta wasu ayyukan da aka yi niyya kamar shiga, ssh da kowane shirye-shiryen sanin PAM.

A wannan yanayin, muna son musaki tushen mai amfani zuwa tsarin, ta iyakance damar shiga da ayyukan sshd. Da farko buɗe kuma shirya fayil ɗin don sabis ɗin manufa a cikin /etc/pam.d/ directory kamar yadda aka nuna.

$ sudo vim /etc/pam.d/login
OR
sudo vim /etc/pam.d/sshd

Na gaba, ƙara daidaitawar da ke ƙasa a cikin fayilolin biyu.

auth    required       pam_listfile.so \
        onerr=succeed  item=user  sense=deny  file=/etc/ssh/deniedusers

Idan kun gama, ajiye kuma rufe kowane fayil. Sannan ƙirƙirar fayil ɗin bayyananne /etc/ssh/deniedusers wanda yakamata ya ƙunshi abu ɗaya akan layi kuma ba za'a iya karantawa a duniya ba.

Ƙara tushen sunan a ciki, sannan a ajiye kuma rufe shi.

$ sudo vim /etc/ssh/deniedusers

Hakanan saita izini da ake buƙata akan wannan.

$ sudo chmod 600 /etc/ssh/deniedusers

Wannan hanyar tana shafar shirye-shirye da ayyuka waɗanda PAM suka sani kawai. Kuna iya toshe tushen shiga tsarin ta hanyar ftp da abokan cinikin imel da ƙari.

Don ƙarin bayani, tuntuɓi shafukan da suka dace.

$ man pam_securetty
$ man sshd_config
$ man pam

Shi ke nan! A cikin wannan labarin, mun bayyana hanyoyi huɗu na kashe tushen shiga (ko asusu) a cikin Linux. Kuna da wata tsokaci, shawarwari ko tambayoyi, jin daɗin isa gare mu ta hanyar amsa tambayoyin da ke ƙasa.