前言:
现在朋友们对“ubuntuu盘写保护”大体比较关切,姐妹们都想要知道一些“ubuntuu盘写保护”的相关知识。那么小编也在网络上网罗了一些有关“ubuntuu盘写保护””的相关内容,希望你们能喜欢,小伙伴们一起来学习一下吧!在需要做等级保护中,经常需要处理系统相关方面的安全加固,这里只是列举了部分常用配置,供大家参阅
Ubuntu、Centos系统配置系统密码安全策略
密码安全策略规则文件:/etc/login.defs
编辑规则文件:sudo vim /etc/login.defs
PASS_MAX_DAYS 字段 为 180,密码过期最大天数
PASS_MIN_LEN 字段 为 8 ,密码最小长度8位
PASS_WARN_AGE 为 7,过期警告7天
完整的配置:
PASS_MAX_DAYS 180PASS_MIN_DAYS 8PASS_WARN_AGE 7类CentOS 系统配置密码复杂度
编辑/etc/pam.d/system-auth并加入该内容
这里配置的密码最小长度minlen值为8
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=5 enforce_for_root
完成的配置如下,增加了4,5,6,7,16行,顺序不能乱
auth required pam_env.soauth required pam_faildelay.so delay=2000000auth sufficient pam_fprintd.soauth required pam_faillock.so preauth silent audit deny=3 unlock_time=600auth sufficient pam_unix.so nullok try_first_passauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=600auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=600auth requisite pam_succeed_if.so uid >= 1000 quiet_successauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 1000 quietaccount required pam_permit.sopassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=5 enforce_for_rootpassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.so-session optional pam_systemd.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so类 centos 系统配置登录失败锁定策略
编辑/etc/pam.d/system-auth 加入了以下内容(请看上面的完整配置)
unlock_time为锁定时间(秒)deny为错误次数
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600auth sufficient pam_unix.so nullok try_first_passauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=600auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=600
将下列内容放置到password-auth文件里account开头的第一行,这里添加了第10行
添加后完整的配置如下:
#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth required pam_faildelay.so delay=2000000auth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 1000 quiet_successauth required pam_deny.soaccount required pam_faillock.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 1000 quietaccount required pam_permit.sopassword requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.so-session optional pam_systemd.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so类Ubuntu 系统配置登陆失败锁定账户编辑文件 sudo vim /etc/pam.d/common-auth复制以下内容配置到文件开头(除注释),deny:表示失败次数,unlock_time:表示失败锁定时间(秒)
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600auth sufficient pam_unix.so nullok try_first_passauth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=600auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=600sudo vim /etc/pam.d/common-account,复制以下配置至文件开头(忽略了注释)
account required pam_faillock.so
标签: #ubuntuu盘写保护