Linux加固常用记录 

Linux加固常用记录
#设置密码复杂度
 
shell操作:
 
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"`" ];then
 
sed -i '/password    requisite    pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/i\password    required      pam_cracklib.so  try_first_pass minlen=8 ucredit=-1  lcredit=-1  ocredit=-1 dcredit=-1 retry=3 difok=4' /etc/pam.d/system-auth
 
fi
 
参数解释:
 
retry=3
 
修改密码的时候,可以重试的次数
 
difok=4
 
与旧密码不同的字符个数
 
minlen=8
 
新密码最小长度
 
这里记住一类就是大于0 也就是正数表示配置要求的个数最多只能有几个,相反如果是小于0,也就是负数表示配置要求的个数最少要有几个
 
dcredit=-1
 
表述设置密码的时候数字的个数必须至少含有一个
 
ucredit=-1
 
表述设置密码的时候大写字母个数必须至少含有一个
 
lcredit=-4
 
表述设置密码的时候小写字母个数必须至少含有一个
 
ocredit=-1
 
表述设置密码的时候特殊字符个数必须至少含有一个
 
#修改密码时效
 
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
 
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
 
sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login.defs
 
#设置操作超时锁定
 
if [ -z "`cat /etc/profile | grep -v "^#" | grep TMOUT`" ];then
 
echo -e "\nexport TMOUT=1800" >> /etc/profile
 
fi
 
#检查密码重复使用次数
 
if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ];then
 
sed -i '/password    sufficient    pam_unix.so/s/$/& remember=5/' /etc/pam.d/system-auth
 
fi
 
 
 
#!/bin/bash
 
#设置密码复杂度
 
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"`" ];then
 
sed -i '/password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/i\password    required      pam_cracklib.so  try_first_pass minlen=8 ucredit=-1   lcredit=-1   ocredit=-1 dcredit=-1 retry=3 difok=4' /etc/pam.d/system-auth
 
fi
 
#设置操作超时锁定
 
if [ -z "`cat /etc/profile | grep -v "^#" | grep TMOUT`" ];then
 
echo -e "\nexport TMOUT=1800" >> /etc/profile
 
fi
 
#检查密码重复使用次数
 
if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ];then
 
sed -i '/password    sufficient    pam_unix.so/s/$/& remember=5/' /etc/pam.d/system-auth
 
fi
 
#修改密码时效
 
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
 
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
 
sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login.defs
 
 
 
PASS_MAX_DAYS    90  --> 密码有效天数,最长多久要变更密码
 
PASS_MIN_DAYS   1    --> 密码变更后,最快多久才能再次修改密码
 
PASS_MIN_LEN    8    --> 密码的最小设定长度
 
PASS_WARN_AGE      7    --> 密码失效之前几天发出警告信息。
 
 
 
#设置连续登录失败暂锁机制
 
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so"`" ];then
 
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep auth`" ];then
 
sed -i '/auth   include system-auth/a\auth        required      pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
 
fi
 
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep account`" ];
 
then
 
sed -i '/account    include      system-auth/a\account    required      pam_tally.so' /etc/pam.d/system-auth
 
fi
 
fi
 
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"`" ];then
 
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep auth`" ];then
 
sed -i '/auth        required      pam_deny.so/a\auth        required      pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/sshd
 
fi
 
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"` | grep account" ];then
 
sed -i '/account    required      pam_unix.so/a\account required pam_tally.so' /etc/pam.d/sshd
 
fi
 
fi
 
 
 
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=300
 
         ①-even_deny_root ###除限制普通用户外,也限制root用户
 
         ②-deny ###设置普通用户和root用户连续错误登录的最大次数,超过最大次数,则锁定改用户
 
         ③-unlock_time ###设置普通用户锁定后,多少时间后解锁,单位是秒,建议为5分钟,300秒
 
         ④-root_unlock_time 设置root用户锁定后,多少时间解锁,单位是秒
 
如果不限制root用户,则可以写成
 
auth required pam_tally2.so deny=3 unlock_time=300
 
 
 
添加密码复杂度:
 
sudo sed -i '/password required pam_deny.so/a\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=5' /etc/pam.d/system-auth
 
修改密码时效:
 
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
 
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
 
sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
 
sed -i '/PASS_MIN_DAYS/s/0/1/' /etc/login.defs
 
 
 
添加ssh登录失败锁定:
 
cat /etc/pam.d/sshd
 
#%PAM-1.0
 
auth      required    pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=600
 
auth      required    pam_sepermit.so
 
auth      substack    password-auth
 
auth      include      postlogin
 
# Used with polkit to reauthorize users in remote sessions
 
-auth      optional    pam_reauthorize.so prepare
 
account    required    pam_nologin.so
 
account    include      password-auth
 
password  include      password-auth
 
# pam_selinux.so close should be the first session rule
 
session    required    pam_selinux.so close
 
session    required    pam_loginuid.so
 
# pam_selinux.so open should only be followed by sessions to be executed in the user context
 
session    required    pam_selinux.so open env_params
 
session    required    pam_namespace.so
 
session    optional    pam_keyinit.so force revoke
 
session    include      password-auth
 
session    include      postlogin
 
# Used with polkit to reauthorize users in remote sessions
 
-session  optional    pam_reauthorize.so prepare
 
密码登录失败锁定推荐:
 
http://blog.itpub.net/31559985/viewspace-2674030/
posted @   皇帽讲绿帽带法技巧  阅读(119)  评论(0编辑  收藏  举报
编辑推荐:
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
阅读排行:
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?
历史上的今天:
2020-12-17 HTB-靶机-RedCross
2020-12-17 HTB-靶机-Vault
点击右上角即可分享
微信分享提示
AI FOR CODE 大赛