Master Linux System Security: Account Hardening, Boot Controls, and Vulnerability Scanning

Linux – System Security and Applications

With the rapid development of information technology, system security has become an indispensable part of daily life and work, encompassing account security control, system boot and login control, weak‑password detection, and port scanning, providing a series of practical security measures and strategies.

1. Account Security Controls

1.1 Basic Security Measures

(1) System Account Cleanup

Beyond manually created accounts, Linux systems contain many automatically generated accounts, most of which are non‑login service accounts. Except for the superuser root, these accounts should not be allowed to log in.

grep "/sbin/nologin$" /etc/passwd
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

Redundant accounts such as games can be deleted directly. For accounts left after uninstalling applications, administrators should clean them up manually.

Long‑unused accounts can be locked temporarily, e.g., to lock or unlock user zhangsan:

# usermod -L zhangsan   # lock account
# passwd -s zhangsan    # view status (LK = locked)
# usermod -U zhangsan   # unlock account
# passwd zhangsan       # set new password

Locking the account files themselves prevents any changes:

# chattr +i /etc/passwd /etc/shadow   # lock files
# lsattr /etc/passwd /etc/shadow       # view lock status
# chattr -i /etc/passwd /etc/shadow   # unlock files

(2) Password Security Controls

To reduce the risk of password guessing or brute‑force attacks, users should change passwords regularly. Administrators can enforce a maximum password age, e.g., 30 days:

# chage -M 30 lisi   # set 30‑day expiry for user lisi

Admins can also force a password change at next login:

# chage -d 8 zhangsan   # force change on next login

(3) Command History and Auto Logout

Shell command history can expose sensitive information. The number of stored commands is controlled by HISTSIZE (default 1000). Adjust it in /etc/profile to affect all users:

# vi /etc/profile
HISTSIZE=200   # example change

To clear history on logout, add history -c to ~/.bash_logout. Set an idle timeout with TMOUT (seconds) to auto‑logout inactive sessions: # export TMOUT=300 # 5‑minute idle timeout During long operations, unset TMOUT to avoid premature logout.

2. System Boot and Login Controls

2.1 Power‑On/Off Security

Set the first boot device to the system disk.

Disable boot from other devices.

Set BIOS security level to “setup” and configure an admin password.

2.2 GRUB Boot Parameter Protection

Prevent unauthorized modification of GRUB parameters by setting a GRUB password:

# grub2-mkpasswd-pbkdf2   # generate PBKDF2 hash
# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
# vim /etc/grub.d/00_header   # add superusers and password lines

Generate a new GRUB configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

2.3 Terminal and Login Control

During maintenance, prevent normal users from logging in by creating /etc/nologin (root can still log in): # touch /etc/nologin Remove the file or reboot to restore normal login.

3. Weak Password Detection and Port Scanning

3.1 Weak Password Detection

Use John the Ripper to audit password strength. Install by compiling the source:

# tar zxf john-1.8.0.tar.gz
# cd john-1.8.0
# cd src
# make clean linux-x86-64   # compile
# ../run/john   # executable

Copy /etc/shadow for analysis and run John:

# cp /etc/shadow /root/shadow.txt
# ./john /root/shadow.txt   # start cracking

Cracked passwords are saved in john.pot; view them with: # ./john --show /root/shadow.txt Custom wordlists can be used with the --wordlist option, e.g., password.lst containing common weak passwords.

3.2 Network Scanning – NMAP

Install Nmap and perform various scans: # dnf -y install nmap Basic scan syntax: nmap [scan type] [options] <target...> Common scan types include:

-SS: TCP SYN (half‑open) scan.

-ST: TCP connect scan.

-SF: TCP FIN scan.

-sU: UDP scan.

-SP: ICMP ping scan.

-P0: Skip ping discovery.