Multiple Ways to Ensure Linux Server Security (2)

Continue from our last blog. Today we are going to take a further look at the Linux server security.

Terminal and login control:

Disable root user login:

The login program reads the /etc/securetty file to determine which terminals the root user is allowed to log in from. To disable the root user from logging in from tty5 and tty6, simply comment out the corresponding line in the file:

[root@localhost ~]# vim /etc/securetty

Disable normal users from logging in:

When you are debugging the server and do not want to have new users logging in to the system, you can create the /etc/nologin file. The login program will check whether the /etc/nologin file exists. If it exists, the normal user login system is rejected. Restricted). This method is only recommended for temporary use during server maintenance. When you manually delete the /etc/nologin file or restart the host, it will restore back to normal, as follows:

[root@localhost ~]# touch /etc/nologin 

System on/off safety control

  • Adjust the bios boot settings, set the password for the BIOS, and enable it;
  • Disable the Ctrl+Alt+Del shortcut to restart the host:
[root@localhost ~]# systemctl mask                   #注销ctrl-alt-del服务
Created symlink from /etc/systemd/system/ to /dev/null.
[root@localhost ~]# systemctl daemon-reload                #重载systemd配置

To re-enable the ctrl-alt-del shortcut function, just do the following:

[root@localhost ~]# systemctl unmask 
Removed symlink /etc/systemd/system/
[root@localhost ~]# systemctl daemon-reload 
  • Limit changes to GRUB boot parameters:

When the Linux system is booting, go to the following interface, press “e” to enter the GRUB boot menu, and after modifying the configuration, you can enter the system environment without any password. This vulnerability is obviously a great threat to the server. , then you can do the following to set a password for the grub menu, only the correct password is allowed to modify the boot parameters:

[root@localhost ~]# grub2-mkpasswd-pbkdf2                         #Follow the hint to set password
输入口令:                      #set password as "111111"
Reenter password: 
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC403E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD                       #encrypted password hash string
#in case of error in changing grub menu, back up related files first
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
[root@localhost ~]# vim /etc/grub.d/00_header
#add following content to the end of file

Now restart the server, enter the grub menu, press e will not be able to modify the boot parameters, to modify, you also need to enter the correct grub username and password (according to the above operation, the user name you need to enter here is "change", the password is "111111"):

That should cover most of the security weakness on a Linux server that we should always strengthen every time we set up or take over a Linux server.