Linux System Account security control

First, basic security
1. System Account Cleanup
Linux account has root, manually created, maintenance system operation, and non-login users, Common non-logged users have bin.daemon.adm.mail.nobody.apache.mysql.ftp and so on, some of which are seldom used and can be deleted, such as News.uucp.games.gopher. There is the application of residual users after uninstall, need to manually delete the administrator, you can query in the/etc/passwd
grep "/sbin/nologin$"/etc/passwd
Long-term non-use of accounts, not sure whether deleted, you can lock the user
Usermod-l User name Lockout
Usermod-u User Name Unlocked
If the account in the server is fixed and not modified, the method of locking the account configuration file can be taken.
Chattr +i File Lock file
Chattr-i file Unlock File
Lsattr File View lock status

Lock/etc/passwd/etc/shadow and you can't add users anymore.

2. Password Security control
Limit the maximum number of days that a user password is valid
Vim/etc/login.defs #适用于新建用户

Modified to 30 days
Chage-m Tom #适用于已有用户
When creating a user in bulk, specify the user to change the password the next time they log on
Chage-d 0 Tom
3. Clear the Command history
Modify variable histsize, default is 1000
Vim/etc/profile #适用于新登录用户
histsize=200 #修改为200条
Export histsize=200 #适用于当前用户
You can also set the command history to clear automatically when exiting
Vim ~/.bash_logout
Add history-c Clear Two command
Set the terminal idle timeout and automatically log off the terminal when no command is entered for a period of time
Vim/etc/profile #适用于新登录用户
Export tmout=600 #超过600秒关闭
Export tmout=600 #适用于当前用户
Use unset tmout to cancel tmout variables if necessary
Second, give the user permission to set
1.su command
Switch users
Restrict user use of the SU command to increase root user password security
Add user to Wheel Group
GPASSWD-A Tom Wheel
grep wheel/etc/group confirm Wheel Group members
Vim/etc/pam.d/su


Enable Pam_wheel authentication, not joined to the wheel group, cannot use the SU command
Operations that are toggled using the SU command are logged to the security log/var/log/secure file


2.sudo command
Elevate execution permissions so that ordinary users can also execute specific commands
To add an entitlement in configuration file/etc/sudoers
Visudo editing with specialized command tools
The basic format is: User Machine=commands
User: username, or take% group name
Machine: Use the host name of this profile to facilitate the sharing of one sudoers file between multiple hosts
COMMANDS: Command, fill in the full path of the command, multiple commands to "," Split, '! ' For example: Under/usr/bin/, except Userdel can be executed

Defaults logfile ... Turn on sudo logging
Sudo-l View sudo configuration

See the user sudo operation record in/var/log/sudo

Third, the safety of the switch machine
1. Adjust BIOS boot settings
Set the first boot device as the disk on which the current system resides
Disable booting the system from other devices (CD, USB, Network), set to Disabled
Set the BIOS security level to setup and manage the password.
2. For multi-Terminal Server disable Ctrl+alt+del restart,


Comment out the last line
3. Set the Grub boot menu password
Encrypt password

Copy the encrypted password


Re-enter the Grub menu, press the E key cannot enter directly, need p key, enter the password

Iv. Terminal and Login
1. Reduce the number of open TTY terminals
/etc/init/tty.conf control the opening of the TTY terminal
/etc/init/start-ttys.conf control the number of open TTY terminals, device files
/etc/sysconfig/init control the number of opening of the TTY terminal, the terminal color
By modifying the number of start-ttys.conf, Sysconfig/init file Limits

2.限制root用户登录的终端修改/etc/securetty文件，可以注释掉禁止登录的终端

3. Prohibit normal User login '
When the server for backup or debugging work, do not want users to log in can easily establish a/etc/nologin file, delete files can log in

.

Linux System Account security control