Centos7 Linux 安全防范攻略
1.1 设置密码失效时间
1.1.1 描述
设置密码失效时间,强制定期修改密码,减少密码被泄漏和猜测风险,使用非密码登陆方式(如密钥对)请忽略此项。
检查提示
–
加固建议
使用非密码登陆方式如密钥对,请忽略此项。在 /etc/login.defs中将 PASS_MAX_DAYS 参数设置为 60-180之间,如:
PASS_MAX_DAYS 90
需同时执行命令设置root密码失效时间:
chage --maxdays 90 root
操作时建议做好记录或备份
1.1.2 修复操作步骤
编辑配置文件
vi /etc/login.defs
打开文件内容如下:
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
输入i,进入插入修改模式,在 /etc/login.defs中将 PASS_MAX_DAYS 参数设置为 60-180之间,修改内容如下:
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
按ESC,然后输入命令保存文件并退出
:wq
需同时执行命令设置root密码失效时间
chage --maxdays 90 root
1.2 设置密码修改最小间隔时间
描述
设置密码修改最小间隔时间,限制密码更改过于频繁
检查提示
–
加固建议
在 /etc/login.defs 中将 PASS_MIN_DAYS 参数设置为7-14之间,建议为7:
PASS_MIN_DAYS 7
需同时执行命令为root用户设置:
chage --mindays 7 root
操作时建议做好记录或备份
1.3 密码复杂度检查
描述
检查密码长度和密码是否使用多种字符类型
检查提示
–
加固建议
编辑/etc/security/pwquality.conf,把minlen(密码最小长度)设置为9-32位,把minclass(至少包含小写字母、大写字母、数字、特殊字符等4类字符中等3类或4类)设置为3或4。如:
minlen=10
minclass=3
操作时建议做好记录或备份
1.4 检查密码重用是否受限制
描述
强制用户不重用最近使用的密码,降低密码猜测攻击风险
检查提示
--
加固建议
在/etc/pam.d/password-auth和/etc/pam.d/system-auth中password sufficient pam_unix.so 这行的末尾配置remember参数为5-24之间,原来的内容不用更改,只在末尾加了remember=5。
操作时建议做好记录或备份
1.5 设置SSH空闲超时退出时间
描述
设置SSH空闲超时退出时间,可降低未授权用户访问其他用户ssh会话的风险
检查提示
–
加固建议
编辑/etc/ssh/sshd_config,将ClientAliveInterval 设置为300到900,即5-15分钟,将ClientAliveCountMax设置为0-3之间。
ClientAliveInterval 600
ClientAliveCountMax 2
操作时建议做好记录或备份