table of Contents
1.2. Pass implementation of password complexity
1.3. Set the authentication failure lock account policy
Two, set the Linux user connection idle timeout period
One, password policy
1.1. Password Policy
Default strategy:
[root@hdp301 /]# cat /etc/login.defs
The Linux operating system recommends setting a password policy:
- PASS_MAX_DAYS: 90 # The maximum validity period of the password
- PASS_MIN_DAYS: 2 # Password can be changed after 2 days
- PASS_WARN_AGE: 7 # Notify the user to change the password when the user logs in 7 days before the password expires
- PASS_MIN_LENS: 8 # Minimum password length, using pam_cracklib module, this parameter is no longer valid
1.2. Pass implementation of password complexity
default:
After modification:
password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
- retry=N: How many times will the password change error be returned?
- difok=N: The new password must have a different number of digits from the old password
- dcredit=N: N >= 0: how many digits in the password at most; N <0 how many digits in the password
- lcredit=N: the number of lowercase letters
- ucredit=N: the number of big letters
- ocredit=N: the number of special letters
- minclass=N: Password composition (large/small letters, numbers, special characters)
- -1 means at least 1 digit
1.3. Set the authentication failure lock account policy
Default strategy:
[root@hdp301 /]# cat /etc/pam.d/login
change into:
account required /user/lib64/security/pam_tally2.so deny=5 no_magic_root reset
deny=5 sets the user to be locked after 5 logins
Two, set the Linux user connection idle timeout period
2.1. For all users
[root@hdp301 /]# cat etc/profile
2.2. For specific users
cd /home/sfyp_audit
vim .bash_profile
export TMOUT=300
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S `whoami` " # 这将显示执行命令的用户