Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Hardening Linux Systems: Account Security, Authentication Controls, and Network Defense

Tech May 11 12

1.1 Securing System Accounts

Non-interactive system accounts should be assigned /sbin/nologin as their shell to prevent interactive logins:

grep '/sbin/nologin$' /etc/passwd
sudo usermod -s /sbin/nologin backupsvc

To disable dormant accounts without deletion:

sudo usermod -L inactive_user
sudo passwd -l inactive_user
sudo passwd -S inactive_user  # verify lock status

Unlock with:

sudo usermod -U inactive_user
sudo passwd -u inactive_user

For immutable protection of critical authentication files (e.g., during maintenance windows):

sudo chattr +i /etc/passwd /etc/shadow
sudo lsattr /etc/passwd /etc/shadow
# Attempting 'useradd' will now fail with 'Operation not permitted'
sudo chattr -i /etc/passwd /etc/shadow

1.2 Enforcing Password Policies

Password aging for new users is configured in /etc/login.defs:

PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   14

Apply immediate password expiry on next login:

sudo passwd -e existing_user  # equivalent to 'passwd -d existing_user'

Force password change at next login by setting last password change date to epoch:

sudo chage -d 0 existing_user

1.3 Command History Restrictions

Limit history size system-wide by editing /etc/profile:

HISTSIZE=10
HISTFILESIZE=10

Clear current session history:

history -c

Ensure history is wiped on logout by adding to /etc/skel/.bash_logout:

rm -f "$HOME/.bash_history"

Enable automatic session timeout after 10 minutes of inactivity:

echo "export TMOUT=600" | sudo tee -a /etc/profile
  1. Authentication and Privilege Escalation Controls

2.1 Restricting su Acces via PAM

Edit /etc/pam.d/su to restrict su to members of the wheel group:

# Comment out default root bypass
# auth [success=ignore default=bad] pam_rootok.so

# Enable group-based restriction
auth required pam_wheel.so use_uid

Add authorized users to the group:

sudo usermod -aG wheel alice

2.2 Understanding PAM Module Behavior

PAM configuration lines follow the format:

module_type control_flag module_path [arguments]

Key control flags:

  • required: All modules must succeed; failure reported only after full evaluation.
  • requisite: Immediate failure on first error.
  • sufficient: Succsess terminates evaluation; failure treated as optional.
  • optional: Ignored unless it's the only module of its type.

Module types:

  • auth: Verifies identity (e.g., password, biometrics).
  • account: Enforces account policies (expiry, time-of-day restrictions).
  • password: Handles password updates and complexity checks.
  • session: Manages session setup/teardown (logging, environment).

2.3 Configuring Granular sudo Permissions

Edit /etc/sudoers using sudo visudo. Example granting selective privileges:

wangwu ALL=(root) NOPASSWD: /usr/sbin/useradd, /usr/sbin/usermod

Define reusable aliases for scalability:

Cmnd_Alias USER_MGMT = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
User_Alias ADMINS = %admin, %wheel
ADMINS ALL = USER_MGMT

Validate configurations:

sudo -l -U wangwu  # list allowed commands
sudo -v             # refresh timestamp
sudo -k             # invalidate timestamp

2.4 Session and Boot-Time Protections

Block non-root loginss globally:

sudo touch /etc/nologin
# Remove file or reboot to restore access

Restrict root logins to physical consoles by editing /etc/securetty — keep only tty1 through tty6.

2.5 Securing GRUB Bootloader

Generate a secure PBKDF2 hash:

grub2-mkpasswd-pbkdf2

Add credentials to /etc/grub.d/00_header:

cat <<EOF | sudo tee -a /etc/grub.d/00_header
set superusers="admin"
password_pbkdf2 admin grub.pbkdf2.sha512.10000.<hash>
EOF

Regenerate GRUB config:

sudo grub2-mkconfig -o /boot/grub2/grub.cfg
  1. Proactive Security Auditing

3.1 Identifying Weak Passwords

Use John the Ripper to audit /etc/shadow:

sudo cp /etc/shadow /opt/shadow_audit
cd /opt/john-1.8.0/run
./john /opt/shadow_audit
./john --show /opt/shadow_audit
# Reset cracked password cache
> john.pot

3.2 Network Service Enumeration

Install and use nmap for reconnaissance:

sudo yum install -y nmap
nmap -sS -p- 127.0.0.1               # TCP SYN scan all ports
nmap -sU -p 53,67,68 192.168.1.1     # UDP scan specific ports
nmap -p 21 192.168.82.0/24           # Identify FTP servers
nmap -sn 192.168.88.0/24             # Ping sweep for live hosts

3.3 Mitigating SSH Brute-Force Attacks

Configure faillock in /etc/pam.d/sshd:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=600 even_deny_root root_unlock_time=1200
auth [default=die] pam_faillock.so authsucc deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

Query and reset lock status:

sudo faillog -u alice
sudo faillog -u alice -r
Tags: linux-securitypam
Back to List

Prev: Newly Created User Cannot Log in to Linux Graphical Desktop: A Step-by-Step Fix

Next: Implementing a Minesweeper Game in Java with BFS Algorithm

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

SBUS Signal Analysis and Communication Implementation Using STM32 with Fus Remote Controller

Overview In a recent project, I utilized the SBUS protocol with the Fus remote controller to control a vehicle's basic operations, including movement, lights, and mode switching. This article is aimed...

Comprehensive Guide to Hive SQL Syntax and Operations

This article provides a detailed walkthrough of Hive SQL, categorizing its features and syntax for practical use. Hive SQL is segmented into the following categories: DDL Statements: Operations on...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top