As an open source operating system, Linux server is widely used because of its security, efficiency and stability. However, if it is not controlled, there is no safe place to go. This blog mainly focuses on account security control, system boot and login control to achieve Linux system security. Change. And use auxiliary tools to find potential safety hazards, so that we can take appropriate measures in time.
Basic safety measures:
1. All kinds of redundant accounts in the system, such as games, can be deleted directly, including some program accounts. If the account can not be deleted after uninstalling the program, we need to delete it manually.

2. When the user account in the server is fixed and no change is made, the account configuration file can be locked directly. After locking, the user can not be added and the user password can not be changed:

[root@localhost ~]# chattr +i /etc/passwd /etc/shadow             #Lock files
[root@localhost ~]# lsattr /etc/passwd /etc/shadow                  #Check to see if it's locked
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow             #Unlock files

3. Password validity control: In order to reduce the risk of password being violently cracked or guessed, the password validity period can be set to limit the maximum effective days of password. For users whose password has expired, the password must be reset when they log in, otherwise they will refuse to log in.

[root@localhost ~]# vim /etc/login.defs                #For new users, 30 days for new users after configuration
                     ........................
PASS_MAX_DAYS   30             #Change the default value of the configuration item "99999" to the expected value, such as 30 days.
[root@localhost ~]# chage -M 30  zhangsan             # For existing users, specify existing users for 30 days
[root@localhost ~]# chage -d 0 zhangsan               # Zhang San Next Logon Must Modify Password

4. Command history, automatic logoff:

[root@localhost ~]# vim /etc/profile           #Suitable for new login users     
                         ................
HISTSIZE=200                 #The command history is 200
export TMOUT=600                        #Automatic logout time is 600 seconds  

 #Applicable to current users
[root@localhost ~]# export HISTSIZE=200       # The command history is 200
[root@localhost ~]# export TMOUT=600           # Automatic logout time is 600 seconds        

Note: When compiling program code, modifying system configuration and other time-consuming operations are being performed, it is better not to set TMOUT variables. If necessary, you can execute the "unset TMOUT" command to cancel the TMOUT variable settings.
Controlling user switching and privileging:
1. su command - switching users
By default, any user is allowed to use the Su command, which gives him the opportunity to repeatedly try the login password of other users (such as root), thus creating a security risk. To avoid this situation, only a few users are allowed to switch using the Su command with the help of the pam_wheel authentication module. The implementation process is as follows: adding users authorized to use Su command to the wheel group, modifying the / etc/pam.d/su authentication configuration to enable pam_wheel authentication:

[root@localhost ~]# gpasswd -a admin wheel                  #Add authorized user admin
//Adding user "admin" to the "wheel" group
[root@localhost ~]# grep wheel /etc/group             #Confirmation of wheel group members
wheel:x:10:admin
[root@localhost ~]# vim /etc/pam.d/su

#%PAM-1.0
auth            sufficient      pam_rootok.so
                        ...................
auth            required        pam_wheel.so use_uid          #Get rid of the beginning of the trip # Number

Then only users in the wheel group can use the su command. Switching users with the su command will be recorded in the security log / var / log / security file, which can be viewed as needed.
2. sudo command - enhance Execution Authority
The su command can be used to switch to another user conveniently, but the prerequisite is to know the login password of the target user. If you want to switch to root user, you must know the password of root user. For Linux server in production environment, every more person knows the root password, its security risk will increase by one point. So the sudo command came into being.

The control of sudo command only needs to add authorization in / etc/sudoers configuration file. It needs to be edited with special visudo tool and vi, but "w" must be executed when saving. Command to save mandatory, otherwise the system will prompt the file to refuse to save as a read-only file.
In the configuration file / etc/sudoers, the basic configuration format for authorization records is as follows:

user MACHINE=COMMANDS

The specific meaning is as follows:
User: directly authorize the specified user name, or in the form of "% group name" (authorize all users in a group).
MACHINE: Use the host name of this configuration file. This part is mainly to facilitate sharing the same sudoers file among multiple hosts. It is usually set to localhost or the actual host name.
COMMANDS: A privileged command that allows authorized users to execute by sudo. It needs to fill in the absolute path of the command. Multiple commands are separated by commas.

[root@localhost ~]# visudo
                      .........................
zhangsan   localhost=/sbin/ifconfig
%wheel  ALL=NOPASSWD:ALL

The above configuration allows users to execute ifconfig commands, while users of the wheel group can execute any commands without verifying their passwords.
Centrally defined aliases can be used when there are more users using the same authorization or when there are more authorized commands. For example, users user1, user2 and user3 are allowed to execute rpm and yum commands in smtp and pop hosts:
[root@localhost ~]# visudo

User_Alias      OPERATORS=user1,user2,user3                 #Define a list of usernames
Host_Alias      MAILSVRS=smtp,pop                            #Define host list
Cmnd_Alias      PKGTOOLS=/bin/rpm,/usr/bin/yum               #Define a list of commands
OPERATORS       MAILSVRS=PKGTOOLS                              #Associate defined lists

The command part of sudo configuration record can use wildcard character "*" and anti-symbol "!" Suo logging can also be enabled for operation and maintenance personnel to view. It is especially useful when you need to authorize all commands in a directory or cancel individual commands. For example, authorized user zhangsan can execute commands in / sbin / directory other than ifconfig and route, and enable logging:

[root@localhost ~]# visudo

zhangsan        localhost=/sbin/*,!/sbin/ifconfig,!/sbin/route             #The application of wildcards and negatives.
Defaults logfile = "/var/log/sudo"                     #Enabling Logging

Be careful:
1. When executing a command through sudo command for the first time, the user's own password must be used to verify the command, and then the sudo command must be executed again. As long as the interval between the sudo operation and the previous one is not more than 5 minutes, no repeated validation is required.
2. If you want to see which sudo authorizations the user obtains, you can execute "sudo-l". If the word "ALL" appears in the sudo privilege list of a user, it means that the authorization is wrong. At this time, the user has the execution privileges of all commands. If the authorization list edited by the visudo command is correct, you need to see if the user is added to the wheel group and pam_wheel authentication is enabled.
Terminal and login control:
1. Prohibit root user login:

Login program reads / etc / security file to decide which terminal to allow root user to login from. To prohibit root user from login from tty5 and tty6, just annotate the corresponding line in the file:

[root@localhost ~]# vim /etc/securetty                             
#tty5
#tty6

2. Prohibit ordinary users to log in:

When the server is being debugged and no new users want to log on to the system, you can set up a / etc/nologin file. The login program will check whether the / etc/nologin file exists or not, and if it exists, it will refuse the normal user to log on to the system (root user is unrestricted). This method is only recommended for temporary use during server maintenance. When the / etc/nologin file is deleted manually or the host is restarted, it can be restored to normal. (It is only valid for users who log in after creating the file.)

[root@localhost ~]# touch /etc/nologin

Switch safety control:
1. Adjust BIOS boot settings, set the password for BIOS, and enable it.
2. Prohibit the Ctrl+Alt+Del shortcut key to restart the host:

[root@localhost ~]# systemctl mask ctrl-alt-del.target                   #Cancellation of ctrl-alt-del service
Created symlink from /etc/systemd/system/ctrl-alt-del.target to /dev/null.
[root@localhost ~]# systemctl daemon-reload                #Overloaded system D configuration

To restart the ctrl-alt-del shortcut function, simply perform the following:

[root@localhost ~]# systemctl unmask ctrl-alt-del.target 
Removed symlink /etc/systemd/system/ctrl-alt-del.target.
[root@localhost ~]# systemctl daemon-reload 

3. Restrict the change of GRUB boot parameters:

When the Linux system starts up, it can enter the GRUB boot menu by pressing "e" at the following interface. After configuration modification, it can enter the system environment without any password. This vulnerability is obviously a great threat to the server, so the following operations can be performed to set a secret for grub menu. Code, only the correct password is allowed to modify the boot parameters:

[root@localhost ~]# grub2-mkpasswd-pbkdf2                         #Specify password according to prompt
//Enter Password:  Set Password to
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC3E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD                       #Encrypted cipher string
#To prevent errors in changing grub menu, backup the relevant files first
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
[root@localhost ~]# vim /etc/grub.d/00_header
#Add the following to the end of the file
cat << EOF
set superusers="change"
password_pbkdf2 change grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC403E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg             #Generate a new grub.cfg file
Generating grub configuration file ...
/etc/grub.d/00_header: line 361: warning: here-document at line 359 delimited by end-of-file (wanted `EOF')
Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-095dca7b09764ecf91e366075c160144
Found initrd image: /boot/initramfs-0-rescue-095dca7b09764ecf91e366075c160144.img
done

Now restart the server, enter the grub menu, press e will not be able to modify the boot parameters, to modify, you need to enter the correct grub username and password: