Linux system reinforcement-User Password Validity Mechanism and GRUB Security Settings

Modify the user password's Validity Period Mechanism

The effective mechanism of User Password modification can effectively prevent users from automatically failing their accounts after they leave their jobs for a period of time. Even if the administrator forgets to delete the account, the account will not cause harm to the system.

1./etc/login. defs

"/Etc/login. the defs file is a plan for creating a user, such as whether to use the home directory, the UID and GID range, and the user's validity period when creating a user, this file can be defined by root.

You can use "vim/etc/login. defs" to modify it:

 

 

PASS_MAX_DAYS: Maximum Password validity period (default value: 99999, equivalent to disabling the password's validity period)

PASS_MIN_DAYS: Minimum Password Validity Period

PASS_MIN_LEN: Minimum Password strength (recommended minimum password is 8 characters)

PASS_WARN_AGE: set the number of days before the password expires to notify the user to change the password (generally, the user will receive a warning when logging on to the system)

2. You can also search for the keywords "INACTIVE" and "EXPIRE" in the "/etc/default/useradd" file"

 

 

INACTIVE: indicates that the password is invalid several days after it expires (default value:-1)

EXPIRE: set a fixed password expiration date for all new users, in the format of "year-month-day"

The above two methods and policies can only take effect for new users. However, to modify policies for existing users, you must use the chage command, for example:

# Chage-l blacktha

 

 

This command lists the current validity period of the blacktha user.

# Chage-M 30 blacktha

 

 

This command changes the password validity period of the user blacktha to 30 days, and changes the corresponding shadow file.

The following are the chage command (Tool) parameters:

-M: PASS_MAX_DAYS

-L: lists the validity period of a user's current password.

-M: PASS_MIN_DAYS

-W: PASS_WARN_AGE

However, it is worth noting that chage only works for local users. If the system uses an authentication system like LDAP, it does not work.

Grub File Location: "/etc/grub. conf"

Check whether the password is set for grub and run "vim/etc/grub. conf"

 

 

The system does not add a password to grub by default. Next, add a protection layer to grub.

First, encrypt the MD5 of the password to be added. To facilitate the operation, run the following command in the vim Editor: "! /Sbin/grub-md5-crypt ", then enter the password:

 

 

Obtain MD5-encrypted characters:

 

 

First, add "lock" to the grub. conf file, and then "password" to add the string encrypted with MD5:

 

 

Run ": x" to save and exit the reboot system. You can find that grub has been locked:

 

 

Then press enter to enter the grub boot interface. In this case, you need to enter the password to enable grub to boot the system:

 

 

Enter "p" and password:

 

 

After entering the password, press enter to guide the system:

 

 

Log on to the system and click OK!