Introduction: Although linux system safe, efficient, stable, but if you usually pay no attention to optimize safety, not security. The presentation will account security, system boot and login security, and the detection of weak passwords, use network scanning tool.
First, account security control
1. System account cleanup
The non-logged-in user's shell to / sbin / nologin
usermod -s /sbin/nologin
2. locked account long-term use
Method One: passwd -l username will appear before two ciphertext! Unlock passwd -u view passwd -S
Method Two: usermod -L will appear before a user name ciphertext! Unlock usermod -U
3. Delete unused accounts
userdel -r username
4. Lock the long-term account is not used
Method One: passwd -l username will appear before two ciphertext! Unlock passwd -u view passwd -S
Method Two: usermod -L will appear before a user name ciphertext! Unlock usermod -U
5 .. lock file
chattr +i /etc/shadow /etc/passwd
The locked state can not create new user
6 .. View File Status
lsattr /etc/passwd /etc/shadow
7 .. unlock files
chattr -i /etc/passwd /etc/shadow
II. Password security control
1. Modify an existing user's password is valid:
Days chage -M username
2. Modify the user's password is valid Times New
vim /etc/login.defs
Create a user to see if success
3. Force change password at next logon
chage -d 0 Zhangsan
(Note that the new password can not use consecutive characters or numbers, otherwise the new password is invalid)
III. Command History restrictions
1. Reduce the number of history commands
history command (the default retention 1000)
History used to view the command history
history -c Clear history
vim editor / etc / profile file (file system global variables, associated variables and all commands are placed in this document), modify "HISTSIZE =" after the value
2. Auto Clear History command when you log off
Methods: vim editor under the home directory ".bash_logout" file, add the "history -c"
3. The terminal automatically log off
vim edit / etc / profile file, add "export TMOUT = value."
Enter the command to modify the configuration files source / etc / profiles execution
No process is running, the system will automatically log out after 15 seconds