Linux等保密码策略
1. sudo限制
禁止普通用户sudo ALL=(ALL)
for i in `grep ALL= /etc/sudoers |grep -Ev '#|root|wheel'|awk '{print $1}'`;do \
sed -i "/$i/d" /etc/sudoers; \
done
2. 密码试探锁定
10分钟没操作自动登出shell
密码长度10位以上,需要大小写,数字,字符
登录失败5次,锁定账号.锁定时间10分钟.
2.1 centos7
\cp /etc/pam.d/sshd{,.bak}
sed -ri 's#.*pam_nologin.so#auth required pam_tally2.so even_deny_root deny=5 unlock_time=600 root_unlock_time=600#' /etc/pam.d/sshd
\cp /etc/pam.d/system-auth{,.bak}
sed -i '/pam_pwquality.so/d' /etc/pam.d/system-auth
echo "password requisite pam_pwquality.so try_first_pass local_users_only retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1" >> /etc/pam.d/system-auth
echo "export TMOUT=600" >>/etc/profile
source /etc/profile
2.2 ubuntu 1804
apt install libpam-cracklib -y
\cp /etc/pam.d/common-password{,.bak}
sed -i '2ipassword requisite pam_cracklib.so retry=5 minlen=10 difok=3 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
\cp /etc/pam.d/sshd{,.bak}
sed -i "2iauth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
echo "export TMOUT=600" >>/etc/profile
\cp /etc/profile{,.bak}
source /etc/profile
3. 密码失效
密码90天失效
密码至少10位
\cp /etc/login.defs{,.bak}
sed -Eri 's/^(PASS_MAX_DAYS).*/\1 90/' /etc/login.defs
sed -Eri 's/^(PASS_MIN_LEN).*/\1 10/' /etc/login.defs