Network security series of ten two Linux user account security settings

User account is the computer users of the credentials or identification, every person to access the system resources, must rely on his user account to enter the computer. In the Linux system, there are many mechanisms to ensure the proper and safe use of user accounts. It is the first step to ensure the security of Linux system that the user account is properly planned and the rights are appropriately assigned.

1. Clean up the SYSTEM account
In Linux systems, some programs create unique users and groups when they are installed, which are used only to start a service or run a process, usually without logging in, such as MySQL, Apache, named, News .... When an attacker impersonates these user or group identities, they are often not easily discovered by administrators.
For these system accounts, first make sure they cannot be used to log in, that is, to set their login shell to/sbin/nologin, and to consider deleting or locking the account.
Depending on the specific application of the current server, users and groups that are not in use can be removed. For example, users and groups that are rarely used include: news, UUCP, games, Gopher, and so on. Again, if the server does not need to enable the named service, then you can delete the named user, named Group, if you do not provide FTP service, you can delete the FTP user, FTP group;
You can also lock a user if you are unsure whether the user can delete it. Example: Lock user sync.
[[email protected] ~]# passwd-l Sync

It is recommended to use locking methods.

2. Lock the account file
If you determine that the account in the system has reached a stable state, do not need to make any changes, then you can use the CHATTR command to lock the account file/etc/passwd and/etc/shadow.

[Email protected] ~]# chattr +i/etc/passwd/etc/shadow
[Email protected] ~]# Lsattr/etc/passwd/etc/shadow
----I--------/etc/passwd
----I--------/etc/shadow
At this point, the user is created with an error message.

[Email protected] ~]# Useradd Temp
Useradd: Unable to open password file
To unlock a file:

[Email protected] ~]# chattr-i/etc/passwd/etc/shadow
[Email protected] ~]# Lsattr/etc/passwd/etc/shadow
-------------/etc/passwd
-------------/etc/shadow

3. Set the user Password policy
In a Linux system, there are two things you can do to set up a user password policy: For a newly created account, for an account that already exists in the system.
For newly created accounts, you can set the password policy by modifying the profile/etc/login.defs, which defines the default settings when creating user accounts, such as specifying the user's UID and GID range, the expiration time of the account, whether the user's home directory needs to be created, and so on.
Here is an introduction to the important parameters of the/etc/login.defs file:
650) this.width=650; "title=" 1.jpg "alt=" wkiom1rmlzcda3sgaajhw6p11ie925.jpg "src=" http://s3.51cto.com/wyfs02/M02/ 4d/1e/wkiom1rmlzcda3sgaajhw6p11ie925.jpg "/>

Modify the settings in this file to be valid only for newly created users. For example, to limit the user's password validity period (maximum days) to 30 days, you can set the value of "pass_max_days" to 30, then all new users will have a password validity period of 30 days.
For accounts that already exist in the system, you can set the password policy through the chage command.
Common options for the chage command:
-M, set the maximum user password usage time.
-W, set the user password expiration warning time.
-D, set the password modification time.
Example: Change the password validity period for Zhangsan to 30 days.
[Email protected] ~]# chage-m Zhangsan
Example: Change the password expiration warning time for Zhangsan to 7 days.
[Email protected] ~]# chage-w 7 Zhangsan
Example: Forcing user Zhangsan to change the password at the next logon.

[Email protected] ~]# chage-d 0 Zhangsan

4. Set the number of history command bars
By executing the history command, you can list historical commands that were previously executed, which also poses a security risk.
If we need to set the history command record number of all users to 100, this requires modifying the/etc/profile file.
The/etc/profile file is used to set the user to automatically perform certain actions when logging on to the system, which is valid for all users.

650) this.width=650; "title=" 2.jpg "alt=" wkiom1rmmnxyzydcaablks02sh0246.jpg "src=" http://s3.51cto.com/wyfs02/M02/ 4d/1e/wkiom1rmmnxyzydcaablks02sh0246.jpg "/>

For example, we want the root user to automatically empty the history command each time the logout exits, and a "history–c" command can be added to the. bash_logout file in the user's home directory.

650) this.width=650; "title=" 3.jpg "alt=" wkiol1rmmwwrstlqaabomruumaa679.jpg "src=" http://s3.51cto.com/wyfs02/M01/ 4d/1f/wkiol1rmmwwrstlqaabomruumaa679.jpg "/>

5. Set Terminal Automatic logoff
When a user logs in through a terminal, a tmout variable can be set, and the account is automatically logged out when the specified time is exceeded (the default unit is seconds) without input. Setting the appropriate timeout period can effectively avoid the risk of misuse of the server by other people when the administrator is absent.
Setting up automatic logoff still requires modifying the/etc/profile file.
Example: Set an account timeout of 10 minutes for automatic logoff.
650) this.width=650; "title=" 4.jpg "alt=" wkiol1rmmpute0ozaabvqgl_pdi300.jpg "src=" http://s3.51cto.com/wyfs02/M00/ 4d/1f/wkiol1rmmpute0ozaabvqgl_pdi300.jpg "/>

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security series of ten two Linux user account security settings