Linux 创建用户账号代替 root 账号,避免使用永久性 root 权限帐号登陆

理由

不仅是ubuntu,各种发行版的Linux,以及Unix、Windows、Mac OS X,甚至Symbian、Android、iOS等操作系统里面,都是这样做的。对于像root这样的用户,在各种操作系统中都是存在的,尽管名字各不相同,我们统一称作superuser,也就是超级用户。

任何情况下,我们都不应当长时间占有并使用超级用户的权限,为了服务器安全我们需要做以下操作,笔者的操作系统是 Ubuntu 18.04 x64。

服务器安全设置

创建新账号

[root@Ubuntu:~]# useradd -m HongXunPan -s /bin/bash
[root@Ubuntu:~]# passwd HongXunPan
New password:
Retype new password:
passwd: password updated successfully
useradd语法:
useradd [参数] name
参数:
-c:加上备注文字,备注文字保存在passwd的备注栏中。
-d:–home-dir HOME_DIR 指定home目录
-e:指定账号的失效日期,日期格式为MM/DD/YY,例如06/30/12。缺省表示永久有效。
-f:指定在密码过期后多少天即关闭该账号。如果为0账号立即被停用;如果为-1则账号一直可用。默认值为-1.
-g:–gid GROUP 指定gid
-G:指定用户所属的附加群组。
-l:不要把用户添加到lastlog和failog中, 这个用户的登录记录不需要记载
-m:自动建立用户的登入目录。
-M:不要自动建立用户的登入目录。
-n:取消建立以用户名称为名的群组。
-p:–password PASSWORD 指定新用户的密码
-r:–system 建立一个系统帐号
-s: 指定用户登入后所使用的shell。默认值为/bin/bash。
-u:指定用户ID号。该值在系统中必须是唯一的。0~499默认是保留给系统用户账号使用的,所以该值必须大于499。

验证账号可用

用刚刚创建的账号密码登录服务器,可以看到登录成功的信息

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

HongXunPan@Ubuntu:~$
HongXunPan@Ubuntu:~$ ll
total 28
drwxr-xr-x 4 HongXunPan HongXunPan 4096 Feb 19 14:02 ./
drwxr-xr-x 3 root       root       4096 Feb 19 13:59 ../
-rw-r--r-- 1 HongXunPan HongXunPan  220 Apr  5  2018 .bash_logout
-rw-r--r-- 1 HongXunPan HongXunPan 3771 Apr  5  2018 .bashrc
drwx------ 2 HongXunPan HongXunPan 4096 Feb 19 14:02 .cache/
drwx------ 3 HongXunPan HongXunPan 4096 Feb 19 14:02 .gnupg/
-rw-r--r-- 1 HongXunPan HongXunPan  807 Apr  5  2018 .profile
HongXunPan@Ubuntu:~$ pwd
/home/HongXunPan

分配 sudo 权限

sudo是linux系统管理指令,是允许系统管理员让普通用户执行一些或者全部的root命令的一个工具,如halt、reboot、su等等。

[root@Ubuntu:~]# adduser HongXunPan sudo
Adding user `HongXunPan' to group `sudo' ...
Adding user HongXunPan to group sudo
Done.

用新账号执行

HongXunPan@Ubuntu:~$ sudo cat /etc/nginx/sites-enabled/kangxuanpeng.conf
[sudo] password for HongXunPan: 
server {
    listen 80;
    server_name kangxuanpeng.com; # 此为必修改项,请替换为服务器公网 IP 或域名
    
    rewrite  ^/(.*)$  http://www.kangxuanpeng.com/$1 permanent;
}

中途提示 [sudo] password for HongXunPan: 时需要输入当前账号的密码,验证成功后即可执行后面的命令

至此,新账号已完全可用

禁止 root 用户 ssh 登录

为了安全,我们应该拒绝 root 用户 ssh 远程登录服务器

[root@Ubuntu:~]# vim /etc/ssh/sshd_config 

修改 /etc/ssh/sshd_configPermitRootLogin yes 改为或者新增 PermitRootLogin no,改完需要重启 ssh 服务

[root@Ubuntu:~]# service ssh restart

再次用 root 账号密码登录服务器,服务器验证不通过

修改 ssh 端口

修改 /etc/ssh/sshd_config,修改 Port 22 建议改成非标准端口,可选择范围在1024到65535之间的端口号

重启 ssh 服务

[root@Ubuntu:~]# service ssh restart

再次登录则不能连接,连接新设置的端口即可连上ssh

切记开放防火墙端口号

设置 sudo 免密码

root 账户执行

visudo  //或者vi /etc/sudoers

在最后面添加以下内容

HongXunPan ALL=(ALL:ALL) NOPASSWD:ALL # 设置用户
%HongXunPan ALL=(ALL:ALL) NOPASSWD:ALL # 设置 %用户组
切记添加在最后,否则用户会受其他组的设置需要验证密码

默认是使用nano编辑器,所以保存退出的时候需要通过快捷键的方式来完成:

visudo 方式保存的时候会自动校验设置是否正确

>>> /etc/sudoers: syntax error near line 31 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)

What now?

新账号验证

HongXunPan@Ubuntu:~$ sudo cat /etc/nginx/sites-enabled/kangxuanpeng.conf
server {
    listen 80;
    server_name kangxuanpeng.com; # 此为必修改项,请替换为服务器公网 IP 或域名
    
    rewrite  ^/(.*)$  http://www.kangxuanpeng.com/$1 permanent;
}

验证成功

设置 su 免密码

如果需要对某用户su命令也不需要输入密码,则需要执行以下操作

[root@Ubuntu:~]# groupadd wheel
[root@Ubuntu:~]# usermod -G wheel HongXunPan
 auth       required   pam_wheel.so group=wheel 
# Uncomment this if you want wheel members to be able to
# su without a password.
 auth       sufficient pam_wheel.so trust use_uid
 auth       sufficient pam_wheel.so trust    //此行一定要有,否则会不生效,原因未知

验证是否生效

命令提示符变成 root 则成功,退出 root 账户回到原先用户用 exit命令

HongXunPan@Ubuntu:~$ su -
[root@Ubuntu:~]# exit
logout
Responses
  1. Maybe she means that the doctor wants me to get a ultrasound with a specific look at thyroid by someone familiar with those issues? genericviagrix.com Maybe she means that the doctor wants me to get a ultrasound with a specific look at thyroid by someone familiar with those issues?

    Reply
  2. 18+

    I loved as much as you will receive carried out right here. The sketch is attractive, your authored material stylish. nonetheless, you command get bought an edginess over that you wish be delivering the following. unwell unquestionably come further formerly again since exactly the same nearly a lot often inside case you shield this hike.

    Reply
  3. Do you mind if I quote a few of your posts as long as I provide credit and sources back to your weblog? My website is in the exact same niche as yours and my users would truly benefit from some of the information you present here. Please let me know if this ok with you. Cheers!

    Reply
  4. One meta-analysis of randomized controlled trials comparing proton pump inhibitors withH2 blockers showed earlier pain control and better healing rates at four weeks for proton pump inhibitors 85 versus 75 percent. http://viagetpill.com/ One meta-analysis of randomized controlled trials comparing proton pump inhibitors withH2 blockers showed earlier pain control and better healing rates at four weeks for proton pump inhibitors 85 versus 75 percent.

    Reply
  5. Honestly can't remember the last I watched lesbian porn maybe when I was 14 then I discovered hentai like 2016 best year of my life

    Reply
  6. I visited several web pages however the audio quality for audio songs current at this web site is genuinely excellent.

    Reply