Master Linux Account Security: PAM, sudo, GRUB Hardening & Weak Password Detection

1. Account Security Controls

Basic Measures

1) System Account Cleanup

Set non‑login users' shell to /sbin/nologin, lock long‑unused accounts, delete unnecessary accounts, and lock the passwd and shadow files.

2) Password Security Control

Set password expiration: chage -M 30 username Force password change on next login:

chage -d 0 username

3) Command History Limitation

Reduce the number of stored commands (default 1000), and automatically clear history on logout.

4) Automatic Terminal Logout

Log out idle sessions after 600 seconds.

2. Controlling the su Command

Use su -username to switch users. By default any user can use su, which poses a security risk.

1) Restrict su Users

Add authorized users to the wheel group and enable the pam_wheel module in /etc/pam.d/su to limit su usage.

Example configuration (comments indicate default state):

# /etc/pam.d/su
#auth    sufficient   pam_rootok.so
#auth    required     pam_wheel.so use_uid

Settings:

2 off, 6 off: root must enter a password when switching users.

2 on, 6 on: root and wheel members can use su without a password.

2 off, 6 on: only wheel members can use su; root is also blocked.

2) Enable pam_wheel for Specific Users

Add a user to the wheel group: gpasswd -a username wheel Verify membership: grep wheel /etc/group Uncomment the auth required pam_wheel.so use_uid line in /etc/pam.d/su.

3. PAM Security Authentication in Linux

1) Risks of the su Command

Any user can repeatedly attempt to guess other users' passwords, especially root.

2) What is PAM?

PAM (Pluggable Authentication Modules) provides a flexible, modular authentication framework widely used in Linux.

3) PAM Authentication Flow

Service → PAM configuration file (under /etc/pam.d) → module library (under /lib/security).

4) PAM Configuration Columns

type: auth, account, password, session

control flag: required, requisite, sufficient, optional, include

module path: usually /lib64/security/*.so module arguments: module‑specific parameters

5) Meaning of Control Flags

required: all modules marked required must succeed; failures are reported after all have run.

requisite: failure aborts the authentication immediately.

sufficient: a successful sufficient module ends authentication early.

optional: result is ignored unless it is the only module.

6) PAM Configuration Example for su

Each line in /etc/pam.d/su represents an independent authentication step.

7) PAM Authentication Process

required – continue on failure, but return fail after all modules.

requisite – abort immediately on failure.

sufficient – succeed immediately if the module succeeds.

optional – used mainly for session handling.

4. Using sudo for Privilege Escalation

1) sudo Overview

Execute commands as another user (typically root) with sudo command. Edit /etc/sudoers via visudo or vi /etc/sudoers (file mode 440).

Syntax: user host = (runas) command_list Examples:

Tom ALL=/sbin/ifconfig

Jerry localhost=/sbin/*, !/sbin/reboot, !/sbin/poweroff

Wildcard * means all; ! excludes.

2) sudo Options

-l

: list allowed and forbidden commands. -v: validate timestamp (extend sudo session). -u: specify user to run as. -k: invalidate timestamp.

3) User Alias Example

Define aliases to simplify large rule sets:

User_Alias OPERATORS = zhangsan, tom, lisi
Host_Alias MAILSVRS = smtp, pop
Cmnd_Alias PKGTOOLS = /bin/rpm, /usr/bin/yum

Then grant permissions using the aliases.

5. Restricting GRUB Boot Parameters

Protect the GRUB menu with a password to prevent unauthorized boot‑parameter changes.

Generate a PBKDF2 password hash: grub2-mkpasswd-pbkdf2 Backup configuration files, edit /etc/grub.d/00_header, and add:

set superusers="root"
password_pbkdf2 root <em>hashed_password</em>

Regenerate GRUB config:

grub2-mkconfig -o /boot/grub2/grub.cfg

6. Weak Password Detection

1) Using John the Ripper

Install build tools: yum install -y gcc gcc-c++ make Extract and compile:

cd /opt
tar -zxf john-1.8.0.tar.gz
cd john-1.8.0/src
make clean linux-x86-64

Prepare password file: cp /etc/shadow /opt/shadow.txt Run cracking:

cd /opt/john-1.8.0/run
./john /opt/shadow.txt

Show cracked accounts:

./john --show /opt/shadow.txt

7. Network Port Scanning

Install nmap: yum install -y nmap Common options: -p: specify ports. -n: skip DNS resolution. -sS: SYN (half‑open) scan. -sT: TCP connect scan. -sF: FIN scan (detects firewall behavior). -sU: UDP scan. -sP: ICMP ping scan. -Pn: treat all hosts as up (skip ping).

Additional PAM Hardening for SSH

Add to /etc/pam.d/sshd:

auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

Manage lockout counters with pam_tally2 commands.