PAM(可插入認證模塊)是UNIX系統上一個實現模塊化的身份驗證模塊服務
當程序需要對用戶進行身份驗證時加載並執行的。PAM文件通常位於/etc/pam.d目錄中。
配置文件
/etc/pam.d/password-auth
/etc/pam.d/system-auth
/etc/security/pwquality.conf
配置密碼創建要求
編輯/etc/pam.d/password-auth和/etc/pam.d/system-auth,確定文件含有
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
編輯密碼強度配置文件/etc/security/pwquality.conf
minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1
-
-
ucredit = -1 - 必須包含一個大寫字符
-
ocredit = -1 - 必須包含一個特殊字符
-
確保配置了失敗密碼嘗試的鎖定
在n次不成功的連續登錄嘗試后鎖定用戶ID可減輕暴力對系統的密碼攻擊
確認 pam_faillock.so 周圍有 pam_unix.so
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
password required pam_pwhistory.so remember=5
password sufficient pam_unix.so sha512
確保對su命令的訪問受到限制
編輯/etc/pam.d/su
auth required pam_wheel.so use_uid
編輯/etc/group
將允許的用戶加入wheel組,這里以root和redhat用戶為例
wheel:x:10:root,redhat
[root@frog ~]# chage -l redhat Last password change : Jun 11, 2020 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
確保系統賬戶是non-login
檢測腳本
egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/sbin/nologin" && $7!="/bin/false") {print}'
修改為不允許登錄
usermod -s /sbin/nologin <user>
腳本批量設定
uid的小於1000除開root用戶,進行鎖定,除開一些特殊用戶,其它的都禁止登錄。
#!/bin/bash for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd` ; do if [ $user != "root" ]; then usermod -L $user if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ];then usermod -s /sbin/nologin $user fi fi done