Linux加固常用记录
#设置密码复杂度
shell操作:
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"`" ];then
sed -i '/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/i\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=4' /etc/pam.d/system-auth
fi
参数解释:
retry=3
修改密码的时候,可以重试的次数
difok=4
与旧密码不同的字符个数
minlen=8
新密码最小长度
这里记住一类就是大于0 也就是正数表示配置要求的个数最多只能有几个,相反如果是小于0,也就是负数表示配置要求的个数最少要有几个
dcredit=-1
表述设置密码的时候数字的个数必须至少含有一个
ucredit=-1
表述设置密码的时候大写字母个数必须至少含有一个
lcredit=-4
表述设置密码的时候小写字母个数必须至少含有一个
ocredit=-1
表述设置密码的时候特殊字符个数必须至少含有一个
#修改密码时效
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login.defs
#设置操作超时锁定
if [ -z "`cat /etc/profile | grep -v "^#" | grep TMOUT`" ];then
echo -e "\nexport TMOUT=1800" >> /etc/profile
fi
#检查密码重复使用次数
if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ];then
sed -i '/password sufficient pam_unix.so/s/$/& remember=5/' /etc/pam.d/system-auth
fi
#!/bin/bash
#设置密码复杂度
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"`" ];then
sed -i '/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/i\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=4' /etc/pam.d/system-auth
fi
#设置操作超时锁定
if [ -z "`cat /etc/profile | grep -v "^#" | grep TMOUT`" ];then
echo -e "\nexport TMOUT=1800" >> /etc/profile
fi
#检查密码重复使用次数
if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ];then
sed -i '/password sufficient pam_unix.so/s/$/& remember=5/' /etc/pam.d/system-auth
fi
#修改密码时效
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login.defs
PASS_MAX_DAYS 90 --> 密码有效天数,最长多久要变更密码
PASS_MIN_DAYS 1 --> 密码变更后,最快多久才能再次修改密码
PASS_MIN_LEN 8 --> 密码的最小设定长度
PASS_WARN_AGE 7 --> 密码失效之前几天发出警告信息。
#设置连续登录失败暂锁机制
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so"`" ];then
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep auth`" ];then
sed -i '/auth include system-auth/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
fi
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep account`" ];
then
sed -i '/account include system-auth/a\account required pam_tally.so' /etc/pam.d/system-auth
fi
fi
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"`" ];then
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep auth`" ];then
sed -i '/auth required pam_deny.so/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/sshd
fi
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"` | grep account" ];then
sed -i '/account required pam_unix.so/a\account required pam_tally.so' /etc/pam.d/sshd
fi
fi
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=300
①-even_deny_root ###除限制普通用户外,也限制root用户
②-deny ###设置普通用户和root用户连续错误登录的最大次数,超过最大次数,则锁定改用户
③-unlock_time ###设置普通用户锁定后,多少时间后解锁,单位是秒,建议为5分钟,300秒
④-root_unlock_time 设置root用户锁定后,多少时间解锁,单位是秒
如果不限制root用户,则可以写成
auth required pam_tally2.so deny=3 unlock_time=300
添加密码复杂度:
sudo sed -i '/password required pam_deny.so/a\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=5' /etc/pam.d/system-auth
修改密码时效:
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/1/' /etc/login.defs
添加ssh登录失败锁定:
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=600
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
密码登录失败锁定推荐:
http://blog.itpub.net/31559985/viewspace-2674030/