Linux system security and application I will explain three parts to combine theory with practice, with the first article we look at the account security control! ! !
User account is a computer user's credentials or identification, everyone to access system resources, you must enter a computer with its user account to. In the Linux system, it provides a variety of mechanisms to ensure the proper, safe use of user accounts.
(A) account security control
Basic safety measures
1, the system account cleanup
The non-logged-in user's shell to / sbin / nologin (vim / etc / passwd)
Long-term use of the account is not locked (passwd or usermod)
Delete unused account (userdel)
Lock the account file passwd, shadow
Lock file and view the status -chattr, lsattr
[root @ localhost ~] # lsattr / etc / passwd / etc / shadow view status ---------------- / etc / the passwd ------------ ---- / etc / Shadow [the root @ localhost ~] # the chattr + I / etc / the passwd / etc / Shadow lock account file [root @ localhost ~] # lsattr / etc / passwd / etc / shadow Check that the state locked state i ---- i ----------- / etc / the passwd ---- i ----------- / etc / Shadow [the root @ localhost ~] # useradd zhangsan can try adding a user useradd: unable to open the / etc / passwd [root @ localhost ~] # tail -3 / etc / passwd passwd file locking because it is not possible to add postfix: x: 89: 89 :: / var / spool / postfix: / sbin / nologin the tcpdump: X: 72: 72 :: /: / sbin / nologin test1: X: 1000: 1000: test1: / Home / test1: / bin / the bash [the root @ localhost ~] # the chattr -i / etc / passwd / etc / shadow file to unlock the account
2, password security control
Set password expiration
Require the user to change the password the next time you log
Set password expiration - for New Users
Edit the configuration file /etc/login.defs
[Root @ localhost ~] # vim /etc/login.defs edit profile information
The password is valid - for existing users
[Root @ localhost ~] # chage -M 30 zhangsan existing user provided password is valid
Require the user to change the password the next (first with John Doe passwd to set a password) to log
[Root @ localhost ~] # chage -d 0 lisi set up John Doe user to change the password at next logon
Log into the need to set a new password, first enter your current password set
To comply with the password can not be too simple, not consecutive letters and numbers, such as a valid password: qwer1995
3, command history limit
Reduce the record number of orders
Automatic flush command history when you log off
Set your system command history limit (global / etc / profile)
[Root @ localhost ~] # vim / etc / profile configuration of the system environment variable profile
Automatic flush command history when you log off - set the user's personal configuration file ~ / .bash_logout
Terminal Automatic Logout - logout automatically limit 600 seconds
[Root @ localhost ~] # vim / etc / profile configuration of the system environment variable profile
Subsequent content will be presented later in!
thanks for reading!