2019-05-27
由于telnet遠程登錄是明文登陸,容易造成密碼泄露,所以為了保護linux系統(tǒng)安全殖卑,所以禁止root遠程telnet登錄。修改相關配置文件可取消禁止坊萝。
虛擬機環(huán)境
m01(客戶端)
外網IP 10.0.0.61
內網IP 172.16.1.61
查看telnet服務安裝包
[root 16:17 @ m01 ~]# rpm -qa telnet-server
telnet-server-0.17-64.el7.x86_64
沒有請安裝
[root 16:26 @ m01 ~]# yum install -y telnet-server
啟動服務
[root 16:26 @ m01 ~]# systemctl restart telnet.socket
本地shell(windows系統(tǒng)登錄)
[c:\~]$ telnet 10.0.0.61
Connecting to 10.0.0.61:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Kernel 3.10.0-957.el7.x86_64 on an x86_64
m01 login: root
Password:
Login incorrect #登陸錯誤
查看登錄日志(虛擬機m01)
[root 16:32 @ m01 ~]# tail /var/log/secure
May 27 16:16:45 m01 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon user=root
May 27 16:16:45 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:16:47 m01 login: FAILED LOGIN 1 FROM bogon FOR root, Authentication failure
May 27 16:16:52 m01 login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !
May 27 16:16:57 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:16:59 m01 login: FAILED LOGIN 2 FROM bogon FOR root, Authentication failure
May 27 16:29:23 m01 login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !
May 27 16:29:23 m01 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon user=root
May 27 16:29:23 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:29:26 m01 login: FAILED LOGIN 1 FROM bogon FOR root, Authentication failure
[root 16:32 @ m01 ~]#
重點
May 27 16:29:23 m01 login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !
May 27 16:29:23 m01 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon user=root
May 27 16:29:23 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:29:26 m01 login: FAILED LOGIN 1 FROM bogon FOR root, Authentication failure
pam_securetty提示 access denied(拒絕訪問):tty pts/1 is not secure(終端 pts/1 不安全)孵稽。
pam_securetty
[root 16:43 @ m01 ~]# man pam_securetty
PAM_SECURETTY(8) Linux-PAM Manual PAM_SECURETTY(8)
NAME
pam_securetty - Limit root login to special devices
-------pam_securetty -限制root登錄到特殊設備
SYNOPSIS
pam_securetty.so [debug]
DESCRIPTION
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure"
tty, as defined by the listing in /etc/securetty. pam_securetty also checks to make sure that
/etc/securetty is a plain file and not world writable. It will also allow root logins on the tty
specified with console= switch on the kernel command line and on ttys from the
/sys/class/tty/console/active.
-------pam_securetty是一個PAM模塊许起,它只允許在用戶以“安全”登錄時根用戶登錄。
tty菩鲜,由/etc/securetty中的清單定義园细。pam_securetty也進行了檢查
/etc/securetty是一個普通文件,不能寫接校。它還允許root登錄tty
方法在內核命令行和ttys上進行切換/sys/class/tty/console/active.
查看/etc/securetty
[root 16:53 @ m01 ~]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
...
...
hvsi2
xvc0
[root 16:53 @ m01 ~]#
在配置文件/etc/securetty中添加pts/1
[root 16:53 @ m01 ~]# vim /etc/securetty
1 console
2 pts/1
3 vc/1
4 vc/2
5 vc/3
...
...
38 hvsi1
39 hvsi2
40 xvc0
重啟telnet服務
[root 17:01 @ m01 ~]# systemctl restart telnet.socket
[root 17:01 @ m01 ~]#
本地shell telnet登陸
[c:\~]$ telnet 10.0.0.61
Connecting to 10.0.0.61:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Kernel 3.10.0-957.el7.x86_64 on an x86_64
m01 login: root
Password:
Last failed login: Mon May 27 17:02:30 CST 2019 from bogon on pts/1
There were 10 failed login attempts since the last successful login.
Last login: Mon May 27 15:54:48 from 10.0.0.1
[root 17:02 @ m01 ~]#
為了安全猛频,可追溯,限制root用戶遠程telnet登陸去掉pts/1馅笙,恢復默認.
[root 17:01 @ m01 ~]# vim /etc/securetty
1 console
2 vc/1
3 vc/2
...
...
37 hvsi1
38 hvsi2
39 xvc0
