Linux等保密码策略
Linux等保密码策略
- 1. sudo限制
- 2. 密码试探锁定
- 2.1 centos7
- 2.2 ubuntu 1804
- 3. 密码失效
1. sudo限制
禁止普通用户sudo ALL=(ALL)
for i in `grep ALL= /etc/sudoers |grep -Ev '#|root|wheel'|awk '{print $1}'`;do \sed -i "/$i/d" /etc/sudoers; \done
2. 密码试探锁定
10分钟没操作自动登出shell
密码长度10位以上,需要大小写,数字,字符
登录失败5次,锁定账号.锁定时间10分钟.
2.1 centos7
\cp /etc/pam.d/sshd{,.bak}
sed -ri 's#.*pam_nologin.so#auth required pam_tally2.so even_deny_root deny=5 unlock_time=600 root_unlock_time=600#' /etc/pam.d/sshd
\cp /etc/pam.d/system-auth{,.bak}
sed -i '/pam_pwquality.so/d' /etc/pam.d/system-auth
echo "password requisite pam_pwquality.so try_first_pass local_users_only retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-authecho "export TMOUT=600" >>/etc/profile
source /etc/profile
2.2 ubuntu 1804
apt install libpam-cracklib -y
\cp /etc/pam.d/common-password{,.bak}
sed -i '2ipassword requisite pam_cracklib.so retry=5 minlen=10 difok=3 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
\cp /etc/pam.d/sshd{,.bak}
sed -i "2iauth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
echo "export TMOUT=600" >>/etc/profile
\cp /etc/profile{,.bak}
source /etc/profile
3. 密码失效
密码90天失效
密码至少10位
\cp /etc/login.defs{,.bak}
sed -Eri 's/^(PASS_MAX_DAYS).*/\1 90/' /etc/login.defs
sed -Eri 's/^(PASS_MIN_LEN).*/\1 10/' /etc/login.defs
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!