Essential Linux Hardening: Disable Root Login, Enforce Password Policies, and Secure Services

Link: https://www.cnblogs.com/zjdxr-up/p/16704040.html

1. Disable root password login

Edit /etc/ssh/sshd_config and set PermitRootLogin to false to prevent root from logging in via password.

2. Enforce Linux password complexity and expiration

Requirements:

Passwords must contain at least three character classes and be longer than 15 characters.

Set expiration for manually added user passwords using chage.

View a user’s password aging information: chage -l test Set password expiration (in days) for a user:

chage -M number-of-days username

3. Verify sudo permissions

The sudo mechanism is configured via /etc/sudoers. By default only the root account has sudo rights. To maintain security, avoid adding other users to the sudoers file unless absolutely necessary.

4. Disable FTP service

Check for running FTP processes: ps -ef | grep ftp Terminate the FTP process (replace pid with the actual process ID):

kill -9 pid

5. Set file ownership and permissions

Assign ownership recursively: chown -R test:test /opt/test/ Set read/write/execute permissions (example: read‑only for owner):

chmod 400 /opt/test/

6. Manage command history

Linux records command history via the history command. By default it stores up to 1000 lines; the limit can be adjusted in /etc/profile (e.g., set to 20).

After completing security configurations, clear the history to remove traces of the commands used:

echo > $HOME/.bash_history