2019-05-27
由于telnet远程登录是明文登陆,容易造成密码泄露,所以为了保护linux系统安全,所以禁止root远程telnet登录。修改相关配置文件可取消禁止。
虚拟机环境
m01(客户端)
外网IP 10.0.0.61
内网IP 172.16.1.61
查看telnet服务安装包
[root 16:17 @ m01 ~]# rpm -qa telnet-server
telnet-server-0.17-64.el7.x86_64
没有请安装
[root 16:26 @ m01 ~]# yum install -y telnet-server
启动服务
[root 16:26 @ m01 ~]# systemctl restart telnet.socket
本地shell(windows系统登录)
[c:\~]$ telnet 10.0.0.61
Connecting to 10.0.0.61:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Kernel 3.10.0-957.el7.x86_64 on an x86_64
m01 login: root
Password:
Login incorrect #登陆错误
查看登录日志(虚拟机m01)
[root 16:32 @ m01 ~]# tail /var/log/secure
May 27 16:16:45 m01 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon user=root
May 27 16:16:45 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:16:47 m01 login: FAILED LOGIN 1 FROM bogon FOR root, Authentication failure
May 27 16:16:52 m01 login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !
May 27 16:16:57 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:16:59 m01 login: FAILED LOGIN 2 FROM bogon FOR root, Authentication failure
May 27 16:29:23 m01 login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !
May 27 16:29:23 m01 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon user=root
May 27 16:29:23 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:29:26 m01 login: FAILED LOGIN 1 FROM bogon FOR root, Authentication failure
[root 16:32 @ m01 ~]#
重点
May 27 16:29:23 m01 login: pam_securetty(remote:auth): access denied: tty 'pts/1' is not secure !
May 27 16:29:23 m01 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon user=root
May 27 16:29:23 m01 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 27 16:29:26 m01 login: FAILED LOGIN 1 FROM bogon FOR root, Authentication failure
pam_securetty提示 access denied(拒绝访问):tty pts/1 is not secure(终端 pts/1 不安全)。
pam_securetty
[root 16:43 @ m01 ~]# man pam_securetty
PAM_SECURETTY(8) Linux-PAM Manual PAM_SECURETTY(8)
NAME
pam_securetty - Limit root login to special devices
-------pam_securetty -限制root登录到特殊设备
SYNOPSIS
pam_securetty.so [debug]
DESCRIPTION
pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure"
tty, as defined by the listing in /etc/securetty. pam_securetty also checks to make sure that
/etc/securetty is a plain file and not world writable. It will also allow root logins on the tty
specified with console= switch on the kernel command line and on ttys from the
/sys/class/tty/console/active.
-------pam_securetty是一个PAM模块,它只允许在用户以“安全”登录时根用户登录。
tty,由/etc/securetty中的清单定义。pam_securetty也进行了检查
/etc/securetty是一个普通文件,不能写。它还允许root登录tty
方法在内核命令行和ttys上进行切换/sys/class/tty/console/active.
查看/etc/securetty
[root 16:53 @ m01 ~]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
...
...
hvsi2
xvc0
[root 16:53 @ m01 ~]#
在配置文件/etc/securetty中添加pts/1
[root 16:53 @ m01 ~]# vim /etc/securetty
1 console
2 pts/1
3 vc/1
4 vc/2
5 vc/3
...
...
38 hvsi1
39 hvsi2
40 xvc0
重启telnet服务
[root 17:01 @ m01 ~]# systemctl restart telnet.socket
[root 17:01 @ m01 ~]#
本地shell telnet登陆
[c:\~]$ telnet 10.0.0.61
Connecting to 10.0.0.61:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Kernel 3.10.0-957.el7.x86_64 on an x86_64
m01 login: root
Password:
Last failed login: Mon May 27 17:02:30 CST 2019 from bogon on pts/1
There were 10 failed login attempts since the last successful login.
Last login: Mon May 27 15:54:48 from 10.0.0.1
[root 17:02 @ m01 ~]#
为了安全,可追溯,限制root用户远程telnet登陆去掉pts/1,恢复默认.
[root 17:01 @ m01 ~]# vim /etc/securetty
1 console
2 vc/1
3 vc/2
...
...
37 hvsi1
38 hvsi2
39 xvc0
