Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to do a good job of Linux system security reinforcement account security, the article introduces in great detail, has a certain reference value, interested friends must read it!

1. Set password policy

[root@lkjtest ~] # cat / etc/login.defs | grep-v "#" | grep PASS PASS_MAX_DAYS 180 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7

Parameter description:

PASSMAXDAYS: sets the expiration date of the password

PASSMINDAYS: minimum password change date

PASSMINLEN: the minimum length of the password

PASSWARNAGE: the number of days of early alarm when the password expires

two。 Restrict remote login of users

Vim / etc/pam.d/sshd # PAM-1.0 auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=10

Note: the added content must be added before, that is, after "#% PAM-1.0". If it is written at the end, although the user is locked, as long as the user name and password are correct, you can still log in successfully.

Parameter description:

Evendenyroot: root users are also restricted.

Deny: set the number of consecutive error logins for ordinary users and root users. If the number exceeds *, the user will be locked.

Unlock_time: how long will it take for an ordinary user to unlock the lock (in seconds)?

Rootunlocktime: how long it takes to unlock a root user after it is locked, in seconds.

3. Restrict users from logging in from tty

Vim / etc/pam.d/login # PAM-1.0 auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

Note: the added content must be added before, that is, after "#% PAM-1.0". If it is written at the end, although the user is locked, as long as the user name and password are correct, you can still log in successfully.

Parameter description:

Evendenyroot: root users are also restricted.

Deny: set the number of consecutive error logins for ordinary users and root users. If the number exceeds *, the user will be locked.

Unlock_time: how long will it take for an ordinary user to unlock the lock (in seconds)?

Rootunlocktime: how long it takes to unlock a root user after it is locked, in seconds.

4. Check the number of user login failures

[root@localhost] # pam_tally2-- user root Login Failures Latest failure From root 0

5. Unlock the specified user

[root@localhost ~] # pam_tally2-r-u root Login Failures Latest failure From root 0

6. Set password complexity

Edit / etc/pam.d/system-auth to find pam_cracklib, and add some parameters as follows: [root@lkjtest ~] # cat / etc/pam.d/system-auth | grep cracklib password requisite pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

Parameter description:

Retry=5: indicates that input is allowed 5 times

Difok=3: the number of new passwords that are different from the old ones is 3

Minlen=10: password length is at least 10 digits

Ucredit=-1: at least one capital letter

Lcredit=-1: at least one lowercase letter

Dcredit=-1: at least one digit

Ocredit=-1: at least one other character

7. Restrict the permissions of su

If you don't want anyone to be able to use su as a root, you can use the following restrictions:

Edit the / etc/pam.d/su file and add the following two lines: auth sufficient pam_rootok.so debug auth required pam_wheel.so group=admin

Only users of the admin group can su

8. Set the time period for users to log in

Sometimes for the security of system login, we need to restrict users to log in to the host only for a specific period of time, through the following settings.

# vi / etc/pam.d/sshd add the following content: account required pam_time.so # vi / etc/security/time.conf add the following content: SSHD _ TX _ TH _ 3100-2300

Time.conf parameter description:

Sshd: indicates that only ssh programs are restricted

*: indicates any terminal, or you can specify a terminal such as tty1,tty2, etc.

Admin: indicates that only admin users are restricted

! Tu2200-2230: the allowed login time is beyond 2100-2300 on Thursday.

9. Handling of special accounts

If you do not start using sendmail, delete the following users

[root@localhost] # userdel adm [root@localhost] # userdel lp [root@localhost] # userdel sync [root@localhost] # userdel shutdown [root@localhost] # userdel halt [root@localhost] # userdel mail

If you do not use an X windows server. Can you delete it?

[root@localhost] # userdel news [root@localhost] # userdel uucp [root@localhost] # userdel operator [root@localhost] # userdel games

If anonymous FTP account is not allowed, delete it.

[root@localhost] # userdel gopher [root@localhost] # userdel ftp

10. Set the time to log out of users and the number of historical commands

[root@tp ~] # vi / etc/profile... HOSTNAME= `/ bin/ hostname` HISTSIZE=1000 / / where 1000 represents the history of user operation commands, which should be as small as possible, or set to 0. Tmout=600 / / means that if the system user does nothing within 600 seconds (10 minutes), the user will be logged out automatically.

11. Anti-violence cracking

For anti-violence cracking for users, the following methods are usually used

HostDenyHosts: you can refer to the official documentation for the specific use of this software.

Write a script to check / var/log/secure access log file: deny access to an ip again by counting the ip of login failures in the log file and adding the ip that reaches the threshold to / etc/hosts.deny.

The above is all the contents of the article "how to strengthen the account Security of Linux system Security". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.