Essential Linux System Security: Account Hardening, Password Policies, and Vulnerability Scanning

Linux – System Security and Applications

With the rapid development of information technology, system security has become an indispensable part of daily life and work, covering account security control, system boot and login control, weak‑password detection, and port scanning.

1. Account Security Control

1.1 Basic Security Measures

(1) System Account Cleanup

Besides manually created accounts, the system creates many service accounts that should not allow login. Except for the superuser root, these non‑login accounts can be removed or locked. grep "/sbin/nologin$" /etc/passwd Typical output shows accounts such as bin, daemon, adm, etc.

(2) Redundant Accounts

Accounts rarely used (e.g., games) can be deleted. For long‑unused accounts, lock them first:

usermod -L zhangsan   # lock account
passwd -s zhangsan   # view status
usermod -U zhangsan   # unlock account
passwd zhangsan       # set new password

(3) Locking Account Files

Use chattr to make /etc/passwd and /etc/shadow immutable, preventing any changes.

chattr +i /etc/passwd /etc/shadow   # lock files
lsattr /etc/passwd /etc/shadow      # verify lock
chattr -i /etc/passwd /etc/shadow   # unlock files

1.2 Password Security Control

Set maximum password age to reduce the risk of brute‑force attacks. For new users, edit /etc/login.defs (e.g., PASS_MAX_DAYS 30). For existing users, use chage:

chage -M 30 lisi   # set 30‑day expiry for user lisi

Force a password change on next login:

chage -d 0 zhangsan   # force password reset

1.3 Command History and Auto Logout

Limit command‑history size with HISTSIZE and clear history on logout via ~/.bash_logout:

export HISTSIZE=200   # set history size
history -c
clear

Set idle timeout with TMOUT (default seconds). Disable it for long operations:

export TMOUT=300   # auto‑logout after 5 minutes of inactivity
unset TMOUT        # cancel timeout

2. System Boot and Login Control

2.1 Power‑On/Off Security

Set the first boot device to the system disk.

Disable booting from other devices.

Set BIOS security level to “setup” and configure a BIOS password.

2.2 GRUB Parameter Protection

Generate a GRUB password with grub2-mkpasswd-pbkdf2 and add it to /etc/grub.d/00_header:

grub2-mkpasswd-pbkdf2   # follow prompts to create hash
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
vim /etc/grub.d/00_header   # add superuser and password lines

Regenerate the GRUB configuration:

grub2-mkconfig -o /boot/grub2/grub.cfg

2.3 Terminal and Login Control

During maintenance, create /etc/nologin to block non‑root logins: touch /etc/nologin Remove the file or reboot to restore normal login.

3. Weak Password Detection and Port Scanning

3.1 Weak Password Detection

Use John the Ripper to crack password hashes from /etc/shadow.

tar zxf john-1.8.0.tar.gz
cd john-1.8.0
cd src
make clean linux-x86-64   # compile
../run/john /root/shadow.txt   # start cracking

Cracked passwords are saved in john.pot and can be displayed:

./john --show /root/shadow.txt

3.2 Network Scanning – Nmap

Install Nmap and perform various scans: dnf -y install nmap Basic command syntax: nmap [scan type] [options] <target...> Common scan types:

-SS TCP SYN (half‑open) scan

-ST TCP connect scan

-SF TCP FIN scan

-sU UDP scan

-SP ICMP ping scan

-P0 skip ping discovery