一、用户密码管理
最好设置强口令,即较为复杂的密码
- 手动设置
- 自己手动添加复杂的密码,包括特殊字符,大小写英文,数字结合
- 密码太难了怎么办?密码柜保存密码:本地下载个KeePass,其中可以根据需求自动生成复杂密码
- 自动生成
- 自带的openssl rand -base64 14
- 需要下载的
- 先下载:apt-get -y install expect
- 再使用mkpasswd
二、如何让系统更加安全
- 最小化
- 安装系统
- 安装软件
- 保护好root
- 禁止root用户远程登录
- 修改远程连接的端口22
- 文件系统权限
- 待完善
- 给重要文件/命令做指纹(MD5校验)
MD5校验
校验单个文件
MD5校验的作用:查看系统的文件是否被篡改
root@iZ7xv3gzks0s8fd4bajkgsZ:~# md5sum code.txt
2a747cf143ff6fd9f395388e81cfde4b code.txt
上述代码表示:命令md5sum根据code.txt里面的内容生成哈希值2a747cf143ff6fd9f395388e81cfde4b并保存下来,然后以此来判断code.txt文件里面的内容是否被修改。
root@iZ7xv3gzks0s8fd4bajkgsZ:~# md5sum /root/code.txt
2a747cf143ff6fd9f395388e81cfde4b /root/code.txt
root@iZ7xv3gzks0s8fd4bajkgsZ:~# md5sum /root/code.txt > md5.log
root@iZ7xv3gzks0s8fd4bajkgsZ:~# cat md5.log
2a747cf143ff6fd9f395388e81cfde4b /root/code.txt
root@iZ7xv3gzks0s8fd4bajkgsZ:~# md5sum -c md5.log
/root/code.txt: OK当执行完命令md5sum -c md5.log后
- 系统第一步先执行md5sum /root/code.txt,得到hash值
- 第二步则是将得到的hash值跟md5.log中的hash值去比较,ok则表示文件没有被修改。
注意:这里作者用的是绝对路径,否则md5.log和code.txt应处于同一工作目录下。
校验多个文件
使用find,别忘了,find命令可以根据条件查找指定目录以及指定目录以下的所有文件
root@iZ7xv3gzks0s8fd4bajkgsZ:~# find /root/ -type f | xargs md5sum > md5.log
root@iZ7xv3gzks0s8fd4bajkgsZ:~# md5sum -c md5.log
/root/.selected_editor: OK
/root/.swas/machine-info: OK
/root/.pydistutils.cfg: OK
/root/.cache/motd.legal-displayed: OK
/root/.profile: OK
/root/temp.txt: OK
/root/.local/share/nano/search_history: OK
/root/.mysql_history: OK
/root/md5.log: FAILED
/root/.pip/pip.conf: OK
/root/.wget-hsts: OK
/root/.ssh/authorized_keys: OK
/root/.bashrc: OK
/root/.bash_history: OK
/root/temp/9.txt: OK
/root/temp/4.txt: OK
/root/temp/6.txt: OK
/root/temp/a.txt: OK
/root/temp/allFile.tar.gz: OK
/root/temp/allFile.zip: OK
/root/temp/3.txt: OK
/root/temp/2.txt: OK
/root/temp/test.txt: OK
/root/temp/10.txt: OK
/root/temp/1.txt: OK
/root/temp/5.txt: OK
/root/temp/8.txt: OK
/root/temp/7.txt: OK
/root/.lesshst: OK
/root/code.txt: OK
/root/get-docker.sh: OK
md5sum: WARNING: 1 computed checksum did NOT match看到这里你猜猜为什么会有一个出现NOT match?
三、sudo提权
作用:可以让普通用户执行命令的时候,相当于root的权限。
编辑配置文件的两种方式
# 第一个:
visudo
# 第二个:
vim /etc/sudoers
# 二者等价找到100行,添加:username ALL=(ALL) /usr/bin/cat,/usr/bin/cd
# 查看命令所在文件的绝对路径
which cat # 输入用户密码查看自己提权后拥有root权限的命令
sudo -l 四、last命令
last命令,查看哪些用户登录我们的系统
root@iZ7xv3gzks0s8fd4bajkgsZ:~# !! | head
last | head
# 登录用户 终端 来源IP 登录时间 退出时间 总共待了多久
root pts/1 183.63.97.148 Tue Nov 4 20:42 still logged in
root pts/0 183.63.97.148 Tue Nov 4 20:42 still logged in
root pts/1 183.63.97.148 Tue Nov 4 20:22 - 20:40 (00:17)
root pts/0 183.63.97.148 Tue Nov 4 20:22 - 20:40 (00:17)
root pts/0 223.104.78.229 Tue Nov 4 09:34 - 09:56 (00:22)
root pts/0 223.104.87.227 Mon Nov 3 19:49 - 19:50 (00:01)
root pts/1 183.63.97.247 Mon Nov 3 15:01 - 15:25 (00:23)
root pts/0 183.63.97.247 Mon Nov 3 15:01 - 15:25 (00:23)
root pts/1 183.63.97.148 Mon Nov 3 09:33 - 11:37 (02:04)
root pts/0 183.63.97.148 Mon Nov 3 09:33 - 11:37 (02:04)lastlog命令:查看当前用户最后一次登录的信息。
root@iZ7xv3gzks0s8fd4bajkgsZ:~# lastlog
Username Port From Latest
root pts/1 183.63.97.148 Tue Nov 4 20:42:35 +0800 2025
daemon Never logged in
bin Never logged in
sys Never logged in
sync Never logged in
games Never logged in
man Never logged in
lp Never logged in
mail Never logged in
news Never logged in
uucp Never logged in
proxy Never logged in
www-data Never logged in
backup Never logged in
list Never logged in
irc Never logged in
_apt Never logged in
nobody Never logged in
systemd-network Never logged in
systemd-timesync Never logged in
dhcpcd Never logged in
messagebus Never logged in
systemd-resolve Never logged in
pollinate Never logged in
polkitd Never logged in
syslog Never logged in
uuidd Never logged in
tcpdump Never logged in
tss Never logged in
landscape Never logged in
fwupd-refresh Never logged in
sshd Never logged in
_chrony Never logged in
admin pts/0 100.104.128.249 Tue Oct 7 11:41:27 +0800 2025
mysql Never logged in
redis Never logged in
Comments NOTHING