BestHub
Sign in
Operations 12 min read

How to Harden Linux Server Security: Account, Login, and Boot Controls

This guide details practical Linux server hardening techniques—including account cleanup, password policies, su/sudo restrictions, login controls, and BIOS/GRUB protection—while providing exact command examples for operations teams to quickly improve system security.

Efficient Ops
Efficient Ops
Efficient Ops
How to Harden Linux Server Security: Account, Login, and Boot Controls

As an open‑source operating system, Linux servers are widely used for their security, efficiency, and stability, but without proper controls they can still be vulnerable. This article discusses Linux system security hardening from account security, boot and login control perspectives, using auxiliary tools to detect risks.

1. Basic Security Measures

1. Delete redundant system accounts such as “games” and any leftover program accounts.

2. Lock the

/etc/passwd

and

/etc/shadow

files to prevent adding users or changing passwords:

<code>[root@localhost ~]# chattr +i /etc/passwd /etc/shadow             # lock files
[root@localhost ~]# lsattr /etc/passwd /etc/shadow                  # verify lock
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow             # unlock files</code>

3. Enforce password expiration to limit the maximum password age, e.g., set

PASS_MAX_DAYS

to 30 and force password change on next login:

<code>[root@localhost ~]# vim /etc/login.defs                # applies to new users
                     ........................
PASS_MAX_DAYS   30             # change default from 99999 to 30 days.
[root@localhost ~]# chage -M 30 lv             # applies to existing user
[root@localhost ~]# chage -d 0 zhangsan               # user must change password at next login</code>

4. Configure command history size and automatic logout (TMOUT) to improve session security:

<code># For new login users
[root@localhost ~]# vim /etc/profile
                         ................
HISTSIZE=200                 # keep 200 commands in history
export TMOUT=600             # auto‑logout after 600 seconds

# For current user
[root@localhost ~]# export HISTSIZE=200       # command history size
[root@localhost ~]# export TMOUT=600           # auto‑logout timeout</code>

Note: Disable TMOUT during long‑running operations by running

unset TMOUT

.

2. User Switching and Privilege Escalation Control

1. Restrict the

su

command to members of the wheel group using the

pam_wheel

module.

<code>[root@localhost ~]# gpasswd -a admin wheel                  # add authorized user to wheel group
[...]
[root@localhost ~]# grep wheel /etc/group             # verify wheel members
wheel:x:10:lv,admin
[root@localhost ~]# vim /etc/pam.d/su

#%PAM-1.0
auth            sufficient      pam_rootok.so
                        ...................
auth            required        pam_wheel.so use_uid          # uncomment this line</code>

After this, only users in the wheel group can use

su

, and each use is logged to

/var/log/secure

.

2. Manage

sudo

privileges via

/etc/sudoers

edited with

visudo

. Basic syntax is

user MACHINE=COMMANDS

where:

user – specific username or

%group

to grant a whole group.

MACHINE – host name, usually

localhost

or the actual host.

COMMANDS – absolute paths of allowed commands, comma‑separated.

Example: allow user

jerry

to run

/sbin/ifconfig

and let the wheel group run any command without a password.

<code>[root@localhost ~]# visudo
                      .........................
jerry   localhost=/sbin/ifconfig
%wheel  ALL=NOPASSWD:ALL</code>

When many users or commands need similar rights, define aliases:

<code>[root@localhost ~]# visudo
                      .........................
User_Alias      OPERATORS=user1,user2,user3                 # user list
Host_Alias      MAILSVRS=smtp,pop                            # host list
Cmnd_Alias      PKGTOOLS=/bin/rpm,/usr/bin/yum               # command list
OPERATORS       MAILSVRS=PKGTOOLS                              # associate lists</code>

Additional sudo notes: the first use requires the user’s password; subsequent uses within 5 minutes skip verification.

sudo -l

lists a user’s privileges; if it shows

(ALL) ALL

, the configuration is too permissive.

3. Terminal and Login Control

1. Disable root login by commenting out entries in

/etc/securetty

(e.g.,

#tty5

,

#tty6

).

<code>[root@localhost ~]# vim /etc/securetty
                               .........................
#tty5
#tty6</code>

2. Prevent non‑root users from logging in during maintenance by creating

/etc/nologin

. The file is checked by the login program; removing it or rebooting restores normal access.

<code>[root@localhost ~]# touch /etc/nologin</code>

4. Power‑On/Off Security

1. Set a BIOS password and enable it.

2. Disable the Ctrl+Alt+Del reboot shortcut.

<code>[root@localhost ~]# systemctl mask ctrl-alt-del.target                   # disable service
Created symlink from /etc/systemd/system/ctrl-alt-del.target to /dev/null.
[root@localhost ~]# systemctl daemon-reload                # reload systemd</code>

To re‑enable the shortcut, unmask the target and reload:

<code>[root@localhost ~]# systemctl unmask ctrl-alt-del.target
Removed symlink /etc/systemd/system/ctrl-alt-del.target.
[root@localhost ~]# systemctl daemon-reload</code>

3. Protect GRUB boot parameters by setting a superuser and password, backing up configuration files, and regenerating

grub.cfg

:

<code>[root@localhost ~]# grub2-mkpasswd-pbkdf2                         # generate password hash
输入口令:#设置密码为“111111”
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC403E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD
# Backup GRUB files
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
[root@localhost ~]# vim /etc/grub.d/00_header
# Append at the end
cat << EOF
set superusers="change"
password_pbkdf2 change grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC403E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD
EOF
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg             # generate new config
Generating grub configuration file ...
... (output omitted)</code>

After reboot, modifying GRUB entries requires the username “change” and the password set above.

operationsLinuxsecurityAccount Managementsudosystem hardening
Efficient Ops
Written by

Efficient Ops

This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment